Potential DNS Exfiltration via Excessive Chunked Queries
Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags sessions with many distinct chunk indices and sufficiently long encoded payloads.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/07/03"
3integration = ["endpoint", "windows", "crowdstrike"]
4maturity = "production"
5updated_date = "2026/07/03"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels
11follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to
12evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags
13sessions with many distinct chunk indices and sufficiently long encoded payloads.
14"""
15from = "now-9m"
16interval = "5m"
17language = "esql"
18license = "Elastic License v2"
19name = "Potential DNS Exfiltration via Excessive Chunked Queries"
20note = """## Triage and analysis
21
22### Investigating Potential DNS Exfiltration via Excessive Chunked Queries
23
24DNS tunneling and exfiltration often encode data in subdomain labels using a chunk index prefix (for example,
25`42-<base64-or-hex-payload>.attacker.example`). A large number of distinct chunk indices to the same base domain from
26one process within a short window strongly suggests staged data transfer rather than normal resolution behavior.
27
28### Possible investigation steps
29
30- Review **Esql.base_domain**, **Esql.unique_chunks**, and **Esql.max_index** on the alert to gauge exfil volume and
31 whether chunk indices form a contiguous or near-contiguous sequence.
32- Identify **process.name** and **process.executable** (from related network events on the same host) and inspect the
33 process tree for scripting runtimes, LOLBins, or unsigned binaries.
34- Pivot on **host.id** for other DNS, network, or exfiltration alerts in the past 48 hours.
35- Inspect sample **dns.question.name** values for the session to confirm encoded payload subdomains and estimate data
36 volume (**Esql.avg_payload_len** × **Esql.unique_chunks**).
37- Check whether the base domain is newly observed, lacks business justification, or resolves to infrastructure outside
38 approved DNS allowlists.
39
40### False positive analysis
41
42- Legitimate software that encodes telemetry or session tokens in DNS labels is rare; validate against known vendor
43 behavior before closing.
44- Security scanners or research tools that generate synthetic chunked DNS labels may match; confirm process identity and
45 organizational ownership.
46
47### Response and remediation
48
49- If confirmed malicious: isolate the host, block the **Esql.base_domain** at DNS and egress controls, and preserve
50 DNS/network logs for scoping.
51- Hunt for the same **Esql.base_domain** and process hash across other hosts and users.
52- Reset credentials and review data accessible to the involved user or process if exfiltration is confirmed.
53"""
54
55setup = """## Setup
56
57This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
58
59Setup instructions: https://ela.st/install-elastic-defend
60
61### Additional data sources
62
63This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
64
65- [CrowdStrike](https://ela.st/crowdstrike-integration)
66- [Sysmon Event ID 22 - DNS Query](https://ela.st/sysmon-event-22-setup)
67"""
68
69references = [
70 "https://attack.mitre.org/techniques/T1048/003/",
71 "https://attack.mitre.org/techniques/T1572/",
72 "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/",
73]
74risk_score = 47
75rule_id = "882a39ad-a404-45e3-b5d4-bc11d2b09818"
76severity = "medium"
77tags = [
78 "Domain: Endpoint",
79 "OS: Windows",
80 "Use Case: Threat Detection",
81 "Tactic: Exfiltration",
82 "Resources: Investigation Guide",
83 "Data Source: Elastic Defend",
84 "Data Source: Crowdstrike",
85 "Data Source: Sysmon",
86]
87timestamp_override = "event.ingested"
88type = "esql"
89
90query = '''
91FROM logs-crowdstrike.fdr*, logs-endpoint.events.network-*, logs-windows.sysmon_operational-*
92| WHERE host.os.type == "windows"
93 AND event.category == "network"
94 AND event.action IN ("lookup_requested", "DNSEvent (DNS query)", "DnsRequest")
95 AND process.name != "svchost.exe"
96 AND dns.question.name RLIKE """[0-9]{1,5}-[A-Za-z0-9+/=]{15,63}\..+"""
97| GROK dns.question.name "%{INT:chunk_index}-%{DATA:chunk_payload}\\.%{GREEDYDATA:Esql.base_domain}"
98| WHERE chunk_index IS NOT NULL
99| EVAL payload_len = LENGTH(chunk_payload)
100| STATS
101 Esql.occurrences = COUNT(*),
102 Esql.unique_chunks = COUNT_DISTINCT(chunk_index),
103 Esql.max_index = MAX(TO_INTEGER(chunk_index)),
104 Esql.avg_payload_len = AVG(payload_len)
105 BY process.name, Esql.base_domain, user.id, user.name, host.id, host.name, data_stream.namespace, DATE_TRUNC(5 minutes, @timestamp)
106| WHERE Esql.occurrences >= 30
107 AND Esql.unique_chunks >= 30
108 AND Esql.avg_payload_len >= 20
109| SORT Esql.unique_chunks DESC
110| LIMIT 20
111| KEEP host.id, host.name, process.name, user.id, user.name, data_stream.namespace, Esql.*
112'''
113
114[rule.investigation_fields]
115field_names = [
116 "@timestamp",
117 "host.id",
118 "host.name",
119 "user.id",
120 "user.name",
121 "process.name",
122 "dns.question.name",
123]
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127
128[[rule.threat.technique]]
129id = "T1048"
130name = "Exfiltration Over Alternative Protocol"
131reference = "https://attack.mitre.org/techniques/T1048/"
132
133[[rule.threat.technique.subtechnique]]
134id = "T1048.003"
135name = "Exfiltration Over Unencrypted Non-C2 Protocol"
136reference = "https://attack.mitre.org/techniques/T1048/003/"
137
138[rule.threat.tactic]
139id = "TA0010"
140name = "Exfiltration"
141reference = "https://attack.mitre.org/tactics/TA0010/"
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145
146[[rule.threat.technique]]
147id = "T1572"
148name = "Protocol Tunneling"
149reference = "https://attack.mitre.org/techniques/T1572/"
150
151[rule.threat.tactic]
152id = "TA0011"
153name = "Command and Control"
154reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Investigating Potential DNS Exfiltration via Excessive Chunked Queries
DNS tunneling and exfiltration often encode data in subdomain labels using a chunk index prefix (for example,
42-<base64-or-hex-payload>.attacker.example). A large number of distinct chunk indices to the same base domain from
one process within a short window strongly suggests staged data transfer rather than normal resolution behavior.
Possible investigation steps
- Review Esql.base_domain, Esql.unique_chunks, and Esql.max_index on the alert to gauge exfil volume and whether chunk indices form a contiguous or near-contiguous sequence.
- Identify process.name and process.executable (from related network events on the same host) and inspect the process tree for scripting runtimes, LOLBins, or unsigned binaries.
- Pivot on host.id for other DNS, network, or exfiltration alerts in the past 48 hours.
- Inspect sample dns.question.name values for the session to confirm encoded payload subdomains and estimate data volume (Esql.avg_payload_len × Esql.unique_chunks).
- Check whether the base domain is newly observed, lacks business justification, or resolves to infrastructure outside approved DNS allowlists.
False positive analysis
- Legitimate software that encodes telemetry or session tokens in DNS labels is rare; validate against known vendor behavior before closing.
- Security scanners or research tools that generate synthetic chunked DNS labels may match; confirm process identity and organizational ownership.
Response and remediation
- If confirmed malicious: isolate the host, block the Esql.base_domain at DNS and egress controls, and preserve DNS/network logs for scoping.
- Hunt for the same Esql.base_domain and process hash across other hosts and users.
- Reset credentials and review data accessible to the involved user or process if exfiltration is confirmed.
References
Related rules
- Potential Data Exfiltration Through Curl
- Potential Data Exfiltration via Rclone
- Potential File Transfer via Certreq
- Potential DNS Tunneling via NsLookup
- Credential Acquisition via Registry Hive Dumping