SigmaHQ/rules/network/net_dns_c2_detection.yml

title: Possible DNS Tunneling
id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
status: experimental
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
    which can be an indicator that DNS is used to transfer data.
author: Patrick Bareiss
date: 2019/04/07
modified: 2020/08/27
references:
    - https://zeltser.com/c2-dns-tunneling/
    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
logsource:
    category: dns
detection:
    selection:
        parent_domain: '*'
    condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
    - Valid software, which uses dns for transferring data
level: high
tags:
    - attack.command_and_control
    - attack.t1071 # an old one
    - attack.t1071.004
    - attack.exfiltration
    - attack.t1048 # an old one
    - attack.t1048.003
Changed title and description 2019-04-21 06:54:56 +00:00			`title: Possible DNS Tunneling`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 18:27:36 +00:00			`status: experimental`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,`
			`which can be an indicator that DNS is used to transfer data.`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 18:27:36 +00:00			`author: Patrick Bareiss`
			`date: 2019/04/07`
att&ck tags review: windows/process_creation part 1, network 2020-08-27 17:43:47 +00:00			`modified: 2020/08/27`
Second round 2020-09-15 13:02:30 +00:00			`references:`
			`- https://zeltser.com/c2-dns-tunneling/`
			`- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 18:27:36 +00:00			`logsource:`
add tieto dns exfiltration rules 2019-10-25 02:30:55 +00:00			`category: dns`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 18:27:36 +00:00			`detection:`
			`selection:`
			`parent_domain: '*'`
			`condition: selection \| count(dns_query) by parent_domain > 1000`
			`falsepositives:`
			`- Valid software, which uses dns for transferring data`
			`level: high`
Second round 2020-09-15 13:02:30 +00:00			`tags:`
			`- attack.command_and_control`
			`- attack.t1071 # an old one`
			`- attack.t1071.004`
			`- attack.exfiltration`
			`- attack.t1048 # an old one`
			`- attack.t1048.003`