rules/network/net_dns_c2_detection.yml

title: Possible DNS Tunneling
id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
status: test
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
author: Patrick Bareiss
references:
  - https://zeltser.com/c2-dns-tunneling/
  - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
date: 2019/04/07
modified: 2021/11/27
logsource:
  category: dns
detection:
  selection:
    parent_domain: '*'
  condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
  - Valid software, which uses dns for transferring data
level: high
tags:
  - attack.command_and_control
  - attack.t1071.004
  - attack.exfiltration
  - attack.t1048.003
Changed title and description 2019-04-21 08:54:56 +02:00			`title: Possible DNS Tunneling`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
			`description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`author: Patrick Bareiss`
Second round 2020-09-15 07:02:30 -06:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://zeltser.com/c2-dns-tunneling/`
			`- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/`
			`date: 2019/04/07`
			`modified: 2021/11/27`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: dns`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`parent_domain: '*'`
			`condition: selection \| count(dns_query) by parent_domain > 1000`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Valid software, which uses dns for transferring data`
Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00			`level: high`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- attack.command_and_control`
			`- attack.t1071.004`
			`- attack.exfiltration`
			`- attack.t1048.003`