Skip to main content

Multiple requests to a rare domain

ID:rare_domain_volume
Data type:DNS,HTTP
Severity:
Medium
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected network traffic to a rare domain. This behavior may indicate communication with a command and control (C2) server or potential data exfiltration.

Impact

Communication with a rare domain may indicate various malicious activities, including malware infections, data exfiltration, and ongoing C2 communication.

Severity

SeverityCondition
Medium
Traffic to a rare domain
Medium
Beaconing to a rare domain

Investigation and Remediation

Investigate the affected systems. If malicious activity is confirmed, isolate affected systems, terminate unauthorized connections, and perform a thorough forensic analysis. To prevent future occurrences, update DNS monitoring and filtering mechanisms to detect and block traffic to known malicious domains.

Known False Positives

  • New software or services not yet widely adopted within the organization
  • Users accessing niche websites