Possible DNS Tunneling

level
status test

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Known false-positives

  • Valid software, which uses dns for transferring data

References

Raw rule (edit)

title: Possible DNS Tunneling
id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
status: test
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
author: Patrick Bareiss
references:
  - https://zeltser.com/c2-dns-tunneling/
  - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
date: 2019/04/07
modified: 2021/11/27
logsource:
  category: dns
detection:
  selection:
    parent_domain: '*'
  condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
  - Valid software, which uses dns for transferring data
level: high
tags:
  - attack.command_and_control
  - attack.t1071.004
  - attack.exfiltration
  - attack.t1048.003