Malicious DNS Callback
Suspicious DNS request to a known-bad domain from an endpoint running an unsigned binary.
What Happened
During routine EDR telemetry review, a DNS request was flagged to a suspicious
domain (sciecdn.cfd) from an endpoint process. The request originated
from a process that had been spawned by an unsigned binary, which itself was
dropped into a user-writable directory.
The DNS request type and domain pattern were consistent with C2 callback behavior. The process was traced back through the full execution chain to identify the initial entry vector.
Evidence
Key Indicators
- Domain:
sciecdn.cfd- newly registered, no legitimate history - DNS Type: 28 (AAAA record lookup)
- Process: Unsigned binary running from user temp directory
- Behavior: Periodic DNS callbacks consistent with beaconing
Response
Endpoint was isolated. The malicious binary was quarantined and the parent process chain was killed. DNS sinkholing was applied for the domain across the environment. IOCs were extracted and shared with the team for broader hunting.
Lessons Learned
- DNS telemetry is high-value for catching C2 that bypasses traditional network controls
- Newly registered domains with unusual TLDs (.cfd, .xyz, .top) are worth flagging
- Correlating DNS requests with process lineage speeds up triage significantly