• An internal host is looking up suspicious external domains
  • Suspicious activity may involve looking up machine-generated domain names or nonexistent domain names in rapid succession

Possible Root Causes

  • An infected host which is part of a botnet is using a domain generation algorithm (DGA) to locate its command & control servers
  • An infected host or adware installed by the user is accessing newly generated domains to present ad impressions to the user
  • An internal user visits newly registered domains with unusual names (e.g., letter sequences not normally found in domains)

Business Impact

  • An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
  • The host can also be instructed to spread further into your network and ultimately exfiltrate data from it
  • Software which infected the host can create nuisances and affect user productivity

Steps to Verify

  1. Do not go directly to the listed domain as it is likely to be malicious
  2. Look up the domain and IP address to which the communication is being sent via reputation services to see if this is known malware; such lookups are supported directly from the UI
  3. Inquire whether the user of the host would likely have gone to the listed domain
  4. Check to see if the host is also exhibiting other detected behaviors to understand the intent of the malware