dns_query_returned_loopback
Explanation
The dns_query_returned_loopback NDM will fire when an external DNS query returns the loopback IP address (127.0.0.1). External DNS names should not resolve to internal resources. Names that resolve this way could be parked malware command and control addresses or part of an exploit targeting a local system service.
What to Look For
Examine the associated DNS transactions and the names that were looked up. Is there a legitimate reason for that name to refer to a loopback IP address? If not, examine the source host for indicators of compromise.
Related MITRE ATT&CK Categories
Updated 4 days ago