High TXT Records Requests Rate

level
status test

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

Known false-positives

  • Legitimate high DNS TXT requests rate to domain name which should be added to whitelist

Raw rule (edit)

title: High TXT Records Requests Rate
id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
status: test
description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2021/11/27
logsource:
  category: dns
detection:
  selection:
    record_type: 'TXT'
  timeframe: 1m
  condition: selection | count() by src_ip > 50
falsepositives:
  - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
level: medium
tags:
  - attack.exfiltration
  - attack.t1048.003
  - attack.command_and_control
  - attack.t1071.004

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.