Potential DNS Exfiltration via Excessive Chunked Queries

Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags sessions with many distinct chunk indices and sufficiently long encoded payloads.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/07/03"
  3integration = ["endpoint", "windows", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/07/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels
 11follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to
 12evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags
 13sessions with many distinct chunk indices and sufficiently long encoded payloads.
 14"""
 15from = "now-9m"
 16interval = "5m"
 17language = "esql"
 18license = "Elastic License v2"
 19name = "Potential DNS Exfiltration via Excessive Chunked Queries"
 20note = """## Triage and analysis
 21
 22### Investigating Potential DNS Exfiltration via Excessive Chunked Queries
 23
 24DNS tunneling and exfiltration often encode data in subdomain labels using a chunk index prefix (for example,
 25`42-<base64-or-hex-payload>.attacker.example`). A large number of distinct chunk indices to the same base domain from
 26one process within a short window strongly suggests staged data transfer rather than normal resolution behavior.
 27
 28### Possible investigation steps
 29
 30- Review **Esql.base_domain**, **Esql.unique_chunks**, and **Esql.max_index** on the alert to gauge exfil volume and
 31  whether chunk indices form a contiguous or near-contiguous sequence.
 32- Identify **process.name** and **process.executable** (from related network events on the same host) and inspect the
 33  process tree for scripting runtimes, LOLBins, or unsigned binaries.
 34- Pivot on **host.id** for other DNS, network, or exfiltration alerts in the past 48 hours.
 35- Inspect sample **dns.question.name** values for the session to confirm encoded payload subdomains and estimate data
 36  volume (**Esql.avg_payload_len** × **Esql.unique_chunks**).
 37- Check whether the base domain is newly observed, lacks business justification, or resolves to infrastructure outside
 38  approved DNS allowlists.
 39
 40### False positive analysis
 41
 42- Legitimate software that encodes telemetry or session tokens in DNS labels is rare; validate against known vendor
 43  behavior before closing.
 44- Security scanners or research tools that generate synthetic chunked DNS labels may match; confirm process identity and
 45  organizational ownership.
 46
 47### Response and remediation
 48
 49- If confirmed malicious: isolate the host, block the **Esql.base_domain** at DNS and egress controls, and preserve
 50  DNS/network logs for scoping.
 51- Hunt for the same **Esql.base_domain** and process hash across other hosts and users.
 52- Reset credentials and review data accessible to the involved user or process if exfiltration is confirmed.
 53"""
 54
 55setup = """## Setup
 56
 57This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 58
 59Setup instructions: https://ela.st/install-elastic-defend
 60
 61### Additional data sources
 62
 63This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 64
 65- [CrowdStrike](https://ela.st/crowdstrike-integration)
 66- [Sysmon Event ID 22 - DNS Query](https://ela.st/sysmon-event-22-setup)
 67"""
 68
 69references = [
 70    "https://attack.mitre.org/techniques/T1048/003/",
 71    "https://attack.mitre.org/techniques/T1572/",
 72    "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/",
 73]
 74risk_score = 47
 75rule_id = "882a39ad-a404-45e3-b5d4-bc11d2b09818"
 76severity = "medium"
 77tags = [
 78    "Domain: Endpoint",
 79    "OS: Windows",
 80    "Use Case: Threat Detection",
 81    "Tactic: Exfiltration",
 82    "Resources: Investigation Guide",
 83    "Data Source: Elastic Defend",
 84    "Data Source: Crowdstrike",
 85    "Data Source: Sysmon",
 86]
 87timestamp_override = "event.ingested"
 88type = "esql"
 89
 90query = '''
 91FROM logs-crowdstrike.fdr*, logs-endpoint.events.network-*, logs-windows.sysmon_operational-*
 92| WHERE host.os.type == "windows"
 93    AND event.category == "network"
 94    AND event.action IN ("lookup_requested", "DNSEvent (DNS query)", "DnsRequest")
 95    AND process.name != "svchost.exe"
 96    AND dns.question.name RLIKE """[0-9]{1,5}-[A-Za-z0-9+/=]{15,63}\..+"""
 97| GROK dns.question.name "%{INT:chunk_index}-%{DATA:chunk_payload}\\.%{GREEDYDATA:Esql.base_domain}"
 98| WHERE chunk_index IS NOT NULL
 99| EVAL payload_len = LENGTH(chunk_payload)
100| STATS
101    Esql.occurrences = COUNT(*),
102    Esql.unique_chunks = COUNT_DISTINCT(chunk_index),
103    Esql.max_index = MAX(TO_INTEGER(chunk_index)),
104    Esql.avg_payload_len = AVG(payload_len)
105  BY process.name, Esql.base_domain, user.id, user.name, host.id, host.name, data_stream.namespace, DATE_TRUNC(5 minutes, @timestamp)
106| WHERE Esql.occurrences >= 30
107    AND Esql.unique_chunks >= 30
108    AND Esql.avg_payload_len >= 20
109| SORT Esql.unique_chunks DESC
110| LIMIT 20
111| KEEP host.id, host.name, process.name, user.id, user.name, data_stream.namespace, Esql.*
112'''
113
114[rule.investigation_fields]
115field_names = [
116    "@timestamp",
117    "host.id",
118    "host.name",
119    "user.id",
120    "user.name",
121    "process.name",
122    "dns.question.name",
123]
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127
128[[rule.threat.technique]]
129id = "T1048"
130name = "Exfiltration Over Alternative Protocol"
131reference = "https://attack.mitre.org/techniques/T1048/"
132
133[[rule.threat.technique.subtechnique]]
134id = "T1048.003"
135name = "Exfiltration Over Unencrypted Non-C2 Protocol"
136reference = "https://attack.mitre.org/techniques/T1048/003/"
137
138[rule.threat.tactic]
139id = "TA0010"
140name = "Exfiltration"
141reference = "https://attack.mitre.org/tactics/TA0010/"
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145
146[[rule.threat.technique]]
147id = "T1572"
148name = "Protocol Tunneling"
149reference = "https://attack.mitre.org/techniques/T1572/"
150
151[rule.threat.tactic]
152id = "TA0011"
153name = "Command and Control"
154reference = "https://attack.mitre.org/tactics/TA0011/"

Triage and analysis

Investigating Potential DNS Exfiltration via Excessive Chunked Queries

DNS tunneling and exfiltration often encode data in subdomain labels using a chunk index prefix (for example, 42-<base64-or-hex-payload>.attacker.example). A large number of distinct chunk indices to the same base domain from one process within a short window strongly suggests staged data transfer rather than normal resolution behavior.

Possible investigation steps

  • Review Esql.base_domain, Esql.unique_chunks, and Esql.max_index on the alert to gauge exfil volume and whether chunk indices form a contiguous or near-contiguous sequence.
  • Identify process.name and process.executable (from related network events on the same host) and inspect the process tree for scripting runtimes, LOLBins, or unsigned binaries.
  • Pivot on host.id for other DNS, network, or exfiltration alerts in the past 48 hours.
  • Inspect sample dns.question.name values for the session to confirm encoded payload subdomains and estimate data volume (Esql.avg_payload_len × Esql.unique_chunks).
  • Check whether the base domain is newly observed, lacks business justification, or resolves to infrastructure outside approved DNS allowlists.

False positive analysis

  • Legitimate software that encodes telemetry or session tokens in DNS labels is rare; validate against known vendor behavior before closing.
  • Security scanners or research tools that generate synthetic chunked DNS labels may match; confirm process identity and organizational ownership.

Response and remediation

  • If confirmed malicious: isolate the host, block the Esql.base_domain at DNS and egress controls, and preserve DNS/network logs for scoping.
  • Hunt for the same Esql.base_domain and process hash across other hosts and users.
  • Reset credentials and review data accessible to the involved user or process if exfiltration is confirmed.

References

Related rules

to-top