Technique on mitre.org

T1071.004: DNS

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

bind: PT-CR-2196: BIND_Many_DNS_TXT_Records_Requests: Multiple DNS requests with the "TXT" record type, which may indicate the use of the Do-Exfiltration malicious utility bind: PT-CR-2194: BIND_DNS_Zone_Transfer_From_Untrusted_Host: DNS zone transfer from an untrusted host mitre_attck_cred_access: PT-CR-1076: DNS_Spoofing: DNS spoofing of domain hosts is detected. The attacker host address is put on a table list. network_devices_abnormal_activity: PT-CR-477: Untrusted_DNS_Server_Usage: A connection to a DNS server from an external network is detected capabilities_suspicious_activity: PT-CR-3056: CAP_High_Frequency_DNS_Requests_From_Host: Multiple unique queries to DNS servers in the same second-level domain were executed from the same host within a short period of time. Attackers can use such queries for reconnaissance, C&C communication, or exfiltration of sensitive data. capabilities_suspicious_activity: PT-CR-2807: CAP_DNS_Request_to_Suspicious_Domain: Attempt to make a DNS query to a suspicious resource that can be used by adversaries to carry out attacks capabilities_suspicious_activity: PT-CR-3044: CAP_Base64_Encoded_DNS_Request: A request for DNS parameters for a resource contains Base64 encoding. Attackers can encode requests to disguise their activity. capabilities_suspicious_activity: PT-CR-2760: CAP_DNS_Request_to_Malicious_Domain: Attempt to make a DNS query to a malicious resource used by adversaries to carry out attacks pt_nad: PT-CR-733: NAD_DNS_Zone_Transfer: PT NAD detected an AXFR query from an untrusted DNS server dnsmasq: PT-CR-2203: Dnsmasq_DNS_Query_High_Frequency: Multiple DNS queries to a single domain, which may indicate the use of DNS for data tunneling dnsmasq: PT-CR-2200: Dnsmasq_TXT_Query_High_Frequency: An extremely high frequency of DNS requests with the TXT record type from a host in a short period of time may indicate the use of the Do-exfiltration utility active_directory_attacks: PT-CR-74: DNS_Zone_Transfer_To_Untrusted_Host: An AXFR request from an untrusted DNS server. With this request, attackers can disclose the internal structure of the network and gain access to confidential information.

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for DNS over TLS (DoT) and DNS over HTTPS (DoH), that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor for DNS traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for DNS over TLS (DoT) and DNS over HTTPS (DoH), that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Traffic Flow	Monitor for DNS traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Mitigation

ID	M1037	Name	Filter Network Traffic	Description	Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets.

ID	M1031	Name	Network Intrusion Prevention	Description	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

ID	Name	Description
M1037	Filter Network Traffic	Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets.
M1031	Network Intrusion Prevention	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.