KQL Search

Query Details

01 DNS Tunneling TXT High Volume

Query

id: a1b2c3d4-0001-4a5b-8c9d-dns001tunneltxt
name: DNS Tunneling via High-Volume TXT Record Queries
description: |
  Detects clients generating an abnormally high number of TXT record DNS queries,
  which is a primary indicator of DNS tunneling tools such as iodine, dnscat2,
  or Cobalt Strike DNS channels. TXT records can carry up to 255 characters per
  record, making them ideal for encoding C2 commands and exfiltrated data.
  Ref: Octoberfest7/DNS_Tunneling, OilRig (APT34) TTPs.
  Differentiation from built-in "Potential DNS Tunnel (ASIM DNS)":
  The built-in uses general query-length and entropy thresholds across all record
  types. This rule focuses exclusively on TXT record count per client (>=100 in
  1 hour), catching tunneling tools that use TXT as their primary data channel
  regardless of individual query length. Can run alongside the built-in as a
  complementary, record-type-specific signal.
severity: High
requiredDataConnectors:
  - connectorId: WindowsDnsAma
    dataTypes:
      - ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CommandAndControl
  - Exfiltration
relevantTechniques:
  - T1071.004
  - T1048.003
tags:
  - DNS Tunneling
  - TXT Records
  - iodine
  - dnscat2
  - APT34
  - OilRig
query: |
  ASimDnsActivityLogs
  | where TimeGenerated > ago(1h)
  | where DnsQueryTypeName =~ "TXT"
  | summarize
      TxtQueryCount  = count(),
      UniqueDomains  = dcount(DnsQuery),
      SampleDomains  = make_set(DnsQuery, 10),
      FirstSeen      = min(TimeGenerated),
      LastSeen       = max(TimeGenerated)
    by SrcIpAddr, SrcHostname
  | where TxtQueryCount > 100
  | extend
      HostName = iif(isnotempty(SrcHostname), SrcHostname, SrcIpAddr),
      AlertDetail = strcat("Client sent ", tostring(TxtQueryCount),
                           " TXT queries across ", tostring(UniqueDomains), " unique domains")
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: SrcHostname
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIpAddr
alertDetailsOverride:
  alertDisplayNameFormat: "DNS Tunneling (TXT) — {{SrcHostname}} sent {{TxtQueryCount}} TXT queries"
  alertDescriptionFormat: "Host {{SrcHostname}} ({{SrcIpAddr}}) sent {{TxtQueryCount}} TXT record queries across {{UniqueDomains}} unique domains in 1 hour. Sample domains: {{SampleDomains}}"
  alertSeverityColumnName: null
customDetails:
  TxtQueryCount: TxtQueryCount
  UniqueDomains: UniqueDomains
  SampleDomains: SampleDomains

Explanation

This query is designed to detect potential DNS tunneling activity by monitoring DNS queries for TXT records. DNS tunneling is a technique used by attackers to send data through DNS queries, often for command and control (C2) communication or data exfiltration. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies clients (computers or devices) that are making an unusually high number of DNS queries for TXT records, which can indicate the use of DNS tunneling tools like iodine, dnscat2, or Cobalt Strike.

  2. Detection Criteria: The query looks for clients that send 100 or more TXT record queries within a one-hour period. TXT records can hold up to 255 characters, making them suitable for carrying encoded data.

  3. Data Source: It uses data from Windows DNS logs, specifically focusing on DNS activity logs.

  4. Output: For each client detected, the query provides:

    • The total number of TXT queries made.
    • The number of unique domains queried.
    • A sample list of up to 10 domains queried.
    • The first and last time the queries were seen within the hour.

  5. Alerting: If a client meets the criteria, an alert is generated with details such as the number of TXT queries, the unique domains involved, and sample domains. The alert is tagged with relevant information about DNS tunneling and associated tools or threat actors.

  6. Severity and Tactics: The alert is marked with high severity and is associated with tactics like Command and Control and Exfiltration, which are common in cyber attacks.

Overall, this query helps security teams identify and investigate potential DNS tunneling activities by focusing on high-volume TXT record queries, which are often used in malicious activities.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsTunnelingTxtRecordsIodineDnscat2APT34OilRigHostIP

Operators

ago()=~summarizecount()dcount()make_set()min()max()by>extendiif()isnotempty()strcat()tostring()

Actions