Try in Splunk Security Cloud

Description

This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • Last Updated: 2020-07-21
  • Author: Rico Valdez, Splunk
  • ID: 05437c07-62f5-452e-afdc-04dd44815bb9

Annotations

ATT&CK
ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
Kill Chain Phase
  • Command & Control
NIST
  • PR.DS
  • PR.PT
  • DE.AE
  • DE.CM
CIS20
  • CIS 8
  • CIS 12
  • CIS 13
CVE
1
2
3
4
5
6
7
8
9
10
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type 
|  `drop_dm_object_name("DNS")` 
| eval anslen=len(answer) 
| search anslen>100 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count 
| table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type"  "Answer Length" Count "First Time" "Last Time" 
| `detect_long_dns_txt_record_response_filter`

Macros

The SPL above uses the following Macros:

Note that detect_long_dns_txt_record_response_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time
  • DNS.message_type
  • DNS.record_type
  • DNS.src
  • DNS.dest
  • DNS.answer

How To Implement

To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.

Known False Positives

It’s possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.

Associated Analytic story

RBA

Risk Score Impact Confidence Message
25.0 50 50 tbd

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2