DNS Tunneling
A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/03/25"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2023/03/06"
7
8[rule]
9anomaly_threshold = 50
10author = ["Elastic"]
11description = """
12A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often
13used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity.
14For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel
15data.
16"""
17false_positives = [
18 """
19 DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger
20 this alert and such parent domains can be excluded.
21 """,
22]
23from = "now-45m"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = "packetbeat_dns_tunneling"
27name = "DNS Tunneling"
28references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
29risk_score = 21
30rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9"
31severity = "low"
32tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"]
33type = "machine_learning"
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1572"
39name = "Protocol Tunneling"
40reference = "https://attack.mitre.org/techniques/T1572/"
41
42
43[rule.threat.tactic]
44id = "TA0011"
45name = "Command and Control"
46reference = "https://attack.mitre.org/tactics/TA0011/"