rules/network/net_dns_c2_detection.yml

title: Possible DNS Tunneling
id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
status: experimental
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
    which can be an indicator that DNS is used to transfer data.
references:
    - https://zeltser.com/c2-dns-tunneling/
    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
author: Patrick Bareiss
date: 2019/04/07
logsource:
    product: dns
detection:
    selection:
        parent_domain: '*'
    condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
    - Valid software, which uses dns for transferring data
level: high
tags:
    - attack.t1043
Changed title and description 2019-04-21 08:54:56 +02:00			`title: Possible DNS Tunneling`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`status: experimental`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,`
			`which can be an indicator that DNS is used to transfer data.`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`references:`
			`- https://zeltser.com/c2-dns-tunneling/`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00			`- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`author: Patrick Bareiss`
			`date: 2019/04/07`
			`logsource:`
			`product: dns`
			`detection:`
			`selection:`
			`parent_domain: '*'`
			`condition: selection \| count(dns_query) by parent_domain > 1000`
			`falsepositives:`
			`- Valid software, which uses dns for transferring data`
			`level: high`
			`tags:`
			`- attack.t1043`