High NULL Records Requests Rate
Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
Sigma rule (View on GitHub)
1title: High NULL Records Requests Rate
2id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
3status: unsupported
4description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
5author: Daniil Yugoslavskiy, oscd.community
6date: 2019/10/24
7modified: 2023/03/24
8tags:
9 - attack.exfiltration
10 - attack.t1048.003
11 - attack.command_and_control
12 - attack.t1071.004
13logsource:
14 category: dns
15detection:
16 selection:
17 record_type: 'NULL'
18 timeframe: 1m
19 condition: selection | count() by src_ip > 50
20falsepositives:
21 - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
22level: medium
Related rules
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High TXT Records Requests Rate
- Possible DNS Tunneling
- DNSCat2 Powershell Implementation Detection Via Process Creation