SOC Investigation

Suspicious DNS Activity Investigation

Public-facing SOC case study documenting Windows DNS Client Operational log analysis, suspicious domain query review, IOC documentation, MITRE ATT&CK mapping, analyst notes, and follow-up recommendations.

Back to SOC Portfolio View GitHub Repository

01 Overview

Project Overview

This case study documents the review of Windows DNS Client Operational logs to identify suspicious domain resolution activity. The investigation focused on endpoint DNS evidence, IOC documentation, MITRE ATT&CK mapping, and recommended SOC follow-up actions.

02 Objective

Objective

The objective was to review DNS-related Windows Event Logs, identify suspicious domain activity, document observed indicators, and determine whether additional containment or monitoring actions were required.

03 Timeline

Investigation Timeline

09:10Windows DNS Client Operational log opened in Event Viewer.

09:14Event ID 3010 entries reviewed for DNS query activity.

09:18Suspicious query to badsite.ru identified.

09:23Host, user SID, query type, and DNS server details documented.

09:30MITRE mapping and follow-up recommendations documented.

04 Indicators

Indicators Observed

Event ID: 3010 Host: PC10.ad.structureality.com Query: badsite.ru Query Type: A record User SID: S-1-5-20 DNS Server: fdf0:2413:6d1c:20::1

05 Analysis

Analysis

The DNS Client Operational log recorded a query for badsite.ru from host PC10.ad.structureality.com. DNS activity alone does not confirm endpoint compromise, but suspicious domain resolution is a useful indicator for triage because it can be associated with phishing interaction, malware callback activity, command-and-control infrastructure, or unauthorized browsing behavior.

06 Analyst Notes

Analyst Notes

Windows DNS Client Operational logs can provide strong endpoint-level visibility into domain resolution activity. A suspicious domain query should be correlated with browser history, proxy logs, endpoint alerts, and other DNS requests across the environment before determining whether the host is compromised.

07 MITRE Mapping

MITRE ATT&CK Mapping

T1071.004 - Application Layer Protocol: DNS: adversaries may use DNS for command-and-control traffic, malware callbacks, or infrastructure communication.
T1568 - Dynamic Resolution: malicious infrastructure may rely on DNS resolution to direct hosts toward attacker-controlled systems.

08 Verdict

Final Verdict

Suspicious DNS Activity Identified

Windows DNS Client logs recorded a query for a suspicious domain. The event did not confirm compromise by itself, but it warranted additional monitoring, domain reputation review, and investigation into related endpoint activity.

09 Recommendations

Recommendations

Review the domain reputation using VirusTotal or another threat intelligence source.
Search for additional DNS requests to the same domain across the environment.
Review browser history, proxy logs, or endpoint security alerts associated with the host.
Block the domain if confirmed malicious.
Preserve relevant DNS and endpoint logs for follow-up investigation.

10 Lessons Learned

Lessons Learned

DNS Client logs can provide valuable endpoint-level visibility into suspicious domain resolution.
Suspicious DNS activity should be correlated with additional endpoint and network evidence.
DNS indicators can support early triage even when compromise is not yet confirmed.
MITRE mapping helps communicate why DNS activity matters in a SOC investigation.

Evidence

Investigation Evidence

Selected screenshots from the investigation workflow. These visuals support the written analysis and help show the investigation process.

DNS Client Operational log showing Event ID 3010 entries tied to suspicious DNS query activity.

Event ID 3010 details showing badsite.ru query

Event ID 3010 details confirming a DNS query for badsite.ru, supporting suspicious domain resolution activity.

Back to Investigations Contact Richard