Monitor DNS queries, proxy logs, and user-agent strings for anomalous patterns associated with adversary attempts to hide infrastructure. Defenders may observe DNS resolutions to short-lived domains, abnormal WHOIS registration data, or filtering of known defensive/responder IP addresses.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Security | EventCode=5156 |
| Domain Registration (DC0101) | dns:query | Excessive lookups for domains with suspicious WHOIS or short TTL values |
| Field | Description |
|---|---|
| SuspiciousDomains | List of domains registered with privacy-protected or suspicious WHOIS metadata. |
| ResponderIPs | Known incident response or scanning infrastructure IP ranges. |
Detect adversaries filtering traffic or modifying server responses to evade scanning. Monitor iptables, nftables, or proxy configurations that deny or redirect requests from known scanning agents or defensive tools.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: Execution of commands modifying iptables/nftables to block selective IPs |
| Response Metadata (DC0106) | NSM:Flow | Altered response metadata or blocked content based on user-agent or geolocation |
| Field | Description |
|---|---|
| BlockedAgents | User-agent strings or scanning tools to monitor for selective filtering. |
Monitor unified logs for manipulation of proxy configurations, DNS resolution, or filtering rules. Adversaries may redirect responses or use trusted domains that later resolve to malicious C2 infrastructure.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | System process modifications altering DNS/proxy settings |
| Response Content (DC0104) | NSM:Flow | Suspicious changes in TLS certificate responses or redirected domains |
| Field | Description |
|---|---|
| TrustedHostingProviders | Known hosting/CDN providers often abused to hide malicious C2 infrastructure. |
Inspect network telemetry for adversary attempts to blend malicious traffic with legitimate flows using VPNs, proxies, or geolocation spoofing. Defensive teams may observe anomalous tunnels, encrypted sessions to suspicious domains, or geo-mismatched IP activity.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | Encrypted tunnels or proxy traffic to non-standard destinations |
| Field | Description |
|---|---|
| GeoIPRanges | Regions to monitor for unexpected or mismatched geolocation activity. |
Monitor VM-level DNS and network traffic logs for adversary-controlled domains or selective response behavior (e.g., dropped requests from security scanners).
| Data Component | Name | Channel |
|---|---|---|
| Domain Registration (DC0101) | esxi:vmkernel | DNS lookups resolving to domains with rapid changes in registration metadata |
| Network Traffic Content (DC0085) | esxi:vmkernel | Suspicious traffic filtered or redirected by VM networking stack |
| Field | Description |
|---|---|
| MonitoredVMs | Targeted virtual machines where adversaries may attempt to hide C2 traffic. |