Malicious DNS Query Actions test internal DNS capabilities, specifically the addition of known bad domains to your blocked list. Network and Endpoint Actors query DNS servers and compare the response (NXDomain, redirect, etc.) to pre-established rules to validate defenses. These rules are configured in the DNS Settings. See the Admin Guide for additional information.
When you run these Actions, you choose one Actor and the traffic tests the DNS Controls. Examples of when you would create this type of Action include when you receive the TTP associated with an IOC or you have an unverified IOC, such as a clickjacking domain or malicious advertising, from threat intel.
IMPORTANT: Before running Malicious DNS Actions, the DNS server you want to test must be added to the Director and assigned to the Actor or Actors.
NOTE: When running DNS Query Actions, you can expand Runtime parameters and set a temporary DNS Server.
To Create a Malicious DNS Query Action
- Select Library > Actions.
- Click Add Action and select Malicious DNS Query.
- Select the Query type.
- Enter the Domain.
- Select the DNS Server.
NOTE: Default will query the server defined in the Actor's local configuration.
- Enter the Name.
- Enter the Description.
- Select the Stage of Attack. This is generally set to Command and Control.
- (Optional) Assign User Tags.
Click Save DNS Query.
The Action Library displays. A confirmation message that your Action was created successfully is shown and the Action is selected and displayed in the Action preview.
Create Malicious DNS Query Action form
