Detect Long DNS TXT Record Response

Description

This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Command and Control

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Command and Control
Exfiltration

MITRE ATT&CK Techniques

Commonly Used Port

MITRE Threat Groups

APT18
APT19
APT28
APT29
APT3
APT37
Dragonfly 2.0
FIN7
FIN8
Lazarus Group
Magic Hound
Night Dragon
OilRig
TEMP.Veles
Threat Group-3390

Kill Chain Phases

Command and Control

Data Sources

DNS

   Help

Detect Long DNS TXT Record Response Help

This search uses the Network_Resolution data model and gathers all the answers to DNS queries for TXT records. The query then looks at the answer section and calculates the length of the answer. The search will then return information for those responses that exceed 100 characters in length.