Docs

dns_query_returned_loopback

Suggest Edits

Explanation

The dns_query_returned_loopback NDM will fire when an external DNS query returns the loopback IP address (127.0.0.1). External DNS names should not resolve to internal resources. Names that resolve this way could be parked malware command and control addresses or part of an exploit targeting a local system service.

What to Look For

Examine the associated DNS transactions and the names that were looked up. Is there a legitimate reason for that name to refer to a loopback IP address? If not, examine the source host for indicators of compromise.

Related MITRE ATT&CK Categories

Command and Control TA0011

Updated about 2 months ago