Uncommon DNS Request via Bun or Node.js

Last updated a day ago on 2026-05-21

Created a day ago on 2026-05-21

About

This rule detects uncommon DNS requests via Bun or Node.js. Adversaries may leverage these tools via a supply chain attack of a compromised developer's package to execute malicious code and steal/exfiltrate data.

Tags

Domain: EndpointOS: LinuxOS: macOSOS: WindowsUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

↳ Web Service (T1102)(external, opens in a new tab or window)

↳ Application Layer Protocol (T1071)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.network-*
Related Integrations: endpoint(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.category:network and host.os.type:(linux or macos or windows) and event.action:lookup_requested and
process.name:(bun or bun.exe or node or node.exe or nodejs) and dns.question.name:(* and not localhost)

Install detection rules in Elastic Security

Detect Uncommon DNS Request via Bun or Node.js in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).