Splunk Security Essentials Docs

Navigation :

Detect Long DNS Txt Record Response

Description

This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection

Category

Command and Control

Alert Volume

This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Techniques

Application Layer Protocol

DNS

MITRE Threat Groups

APT18

APT39

APT41

Cobalt Group

FIN7

Ke3chang

OilRig

Tropic Trooper

Kill Chain Phases

Command and Control

Data Sources

DNS

Help

Detect Long DNS Txt Record Response Help

To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type |  `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type"  "Answer Length" Count "First Time" "Last Time" | `detect_long_dns_txt_record_response_filter`

Open in Search