DNS Tunneling

A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 50
 9author = ["Elastic"]
10description = """
11A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often
12used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity.
13For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel
14data.
15"""
16false_positives = [
17    """
18    DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger
19    this alert and such parent domains can be excluded.
20    """,
21]
22from = "now-45m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = "packetbeat_dns_tunneling"
26name = "DNS Tunneling"
27references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
28risk_score = 21
29rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9"
30severity = "low"
31tags = [
32    "Use Case: Threat Detection",
33    "Rule Type: ML",
34    "Rule Type: Machine Learning",
35    "Tactic: Command and Control",
36]
37type = "machine_learning"
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1572"
42name = "Protocol Tunneling"
43reference = "https://attack.mitre.org/techniques/T1572/"
44
45
46[rule.threat.tactic]
47id = "TA0011"
48name = "Command and Control"
49reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top