T1071.004: DNS
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
pt_nad: PT-CR-733: NAD_DNS_Zone_Transfer: PT NAD detected an AXFR query from an untrusted DNS server network_devices_abnormal_activity: PT-CR-477: Untrusted_DNS_Server_Usage: A connection to a DNS server from an external network is detected dnsmasq: PT-CR-2233: Dnsmasq_New_Kind_Of_Network_Detection: DNS requests to the New Kind of Network service that can be used as a C2 channel dnsmasq: PT-CR-2231: Dnsmasq_Wannacry_Killswitch_Detection: DNS requests to external services matching the WannaCry malware dnsmasq: PT-CR-2227: Dnsmasq_Base64_Encoded_DNS_Request_Detection: Suspicious Base64-encoded DNS requests dnsmasq: PT-CR-2232: Dnsmasq_Cobalt_Strike_DNS_Beaconing_Detection: A suspicious DNS request from Cobalt Strike beacons dnsmasq: PT-CR-2203: Dnsmasq_DNS_Query_High_Frequency: Multiple DNS requests to the same domain, which may indicate that data is transferred using DNS dnsmasq: PT-CR-2200: Dnsmasq_TXT_Query_High_Frequency: An extremely high frequency of DNS requests with the TXT record type from a host in a short period of time may indicate the use of the Do-exfiltration utility dnsmasq: PT-CR-2228: Dnsmasq_External_Service_Interaction_Domain_Detection: Suspicious DNS requests to external service interaction domains that are often used for out-of-band communication after successful RCE dnsmasq: PT-CR-2230: Dnsmasq_Monero_Crypto_Coin_Mining_Domain_Detection: Suspicious DNS requests to Monero mining pools active_directory_attacks: PT-CR-74: DNS_Zone_Transfer_To_Untrusted_Host: An AXFR request from an untrusted DNS server. With this request, attackers can disclose the internal structure of the network and gain access to confidential information. bind: PT-CR-2189: BIND_Cobalt_Strike_DNS_Beaconing_Detection: A suspicious request for DNS parameters. These requests can come from Cobalt Strike beacons, which can be used by attackers to test infrastructure and detect vulnerabilities. bind: PT-CR-2190: BIND_New_Kind_Of_Network_Detection: A request for DNS parameters for a resource that can be used as a C2 server channel. C2 servers usually host control software that allows attackers to remotely control victims' computers, gain access to sensitive information, and carry out attacks. bind: PT-CR-2188: BIND_Monero_Crypto_Coin_Mining_Domain_Detection: A request for DNS parameters to Monero mining pools bind: PT-CR-2193: BIND_Many_DNS_Requests_To_Single_Resource: Multiple DNS requests to one resource, which may indicate the activity of malware trying to access malicious websites or services bind: PT-CR-2195: BIND_Many_DNS_Requests_From_Single_Host: Multiple DNS requests from one host, which may indicate the start of malware that uses DNS for command and control bind: PT-CR-2194: BIND_DNS_Zone_Transfer_From_Untrusted_Host: DNS zone transfer from an untrusted host bind: PT-CR-2187: BIND_Wannacry_Killswitch_Detection: A request for DNS parameters for the malicious WannaCry Kill Switch resource bind: PT-CR-2196: BIND_Many_DNS_TXT_Records_Requests: Multiple DNS requests with the "TXT" record type, which may indicate the use of the Do-Exfiltration malicious utility bind: PT-CR-2185: BIND_External_Service_Interaction_Domain_Detection: A request for DNS parameters for external service interaction domains. Attackers use such requests for out-of-band communications. bind: PT-CR-2191: BIND_Base64_Encoded_DNS_Request_Detection: A request for DNS parameters for a resource contains Base64 encoding. Attackers can encode requests to disguise their activity. mitre_attck_cred_access: PT-CR-1076: DNS_Spoofing: DNS spoofing of domain hosts is detected. The attacker host address is put on a table list.
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for DNS over TLS (DoT) and DNS over HTTPS (DoH), that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor for DNS traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
Mitigation
ID | M1037 | Name | Filter Network Traffic | Description | Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets. |
---|
ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
---|