02 DNS C2 Beaconing Periodic

id: a1b2c3d4-0002-4a5b-8c9d-dns002c2beacon name: DNS C2 Beaconing — Low-TTL Periodic Domain Lookups description: | Detects DNS-based command-and-control beaconing by identifying clients that query the same external domain repeatedly at suspiciously regular intervals. Cobalt Strike DNS beacons, Silver, and Havoc C2 frameworks poll a staging domain on a configurable timer (default: every 1 second to 5 minutes). This rule alerts when a single client queries the same FQDN 20+ times in 4 hours with a consistent periodicity, which is characteristic of automated C2 polling. severity: High requiredDataConnectors: - connectorId: WindowsDnsAma dataTypes: - ASimDnsActivityLogs queryFrequency: 4h queryPeriod: 4h triggerOperator: gt triggerThreshold: 0 status: Available tactics: - CommandAndControl relevantTechniques: - T1071.004 - T1132 tags: - DNS C2 - Cobalt Strike - Beaconing - Silver C2 - Havoc query: | ASimDnsActivityLogs | where TimeGenerated > ago(4h) | where EventResult =~ "Success" | where DnsQueryTypeName in~ ("A", "AAAA", "TXT", "MX", "CNAME", "NULL") | summarize QueryCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SrcHostname = any(SrcHostname) by SrcIpAddr, DnsQuery | where QueryCount >= 20 | extend SpanMinutes = datetime_diff('minute', LastSeen, FirstSeen), QueriesPerMin = round(todouble(QueryCount) / max_of(1, datetime_diff('minute', LastSeen, FirstSeen)), 2) | where SpanMinutes > 5 | where QueriesPerMin >= 1 entityMappings: - entityType: Host fieldMappings: - identifier: HostName columnName: SrcHostname - entityType: IP fieldMappings: - identifier: Address columnName: SrcIpAddr - entityType: DNS fieldMappings: - identifier: DomainName columnName: DnsQuery alertDetailsOverride: alertDisplayNameFormat: "DNS C2 Beaconing — {{SrcHostname}} queried {{DnsQuery}} {{QueryCount}} times" alertDescriptionFormat: "Potential C2 beacon: {{SrcHostname}} ({{SrcIpAddr}}) queried {{DnsQuery}} {{QueryCount}} times over {{SpanMinutes}} minutes (~{{QueriesPerMin}} q/min)" customDetails: QueryCount: QueryCount QueriesPerMin: QueriesPerMin BeaconDomain: DnsQuery

Explanation

This query is designed to detect suspicious DNS activity that may indicate command-and-control (C2) beaconing, a technique often used by malware to communicate with an external server. Here's a simplified breakdown of what the query does:

Purpose: It identifies clients (computers or devices) that repeatedly query the same external domain at regular intervals, which is a common behavior of automated C2 communication.
Detection Criteria:
- The query looks at DNS activity logs from the past 4 hours.
- It focuses on successful DNS queries of specific types (A, AAAA, TXT, MX, CNAME, NULL).
- It flags any client that queries the same Fully Qualified Domain Name (FQDN) 20 or more times within this period.
- It calculates the time span between the first and last query and the average number of queries per minute.
- It only considers cases where the querying happens over more than 5 minutes and at a rate of at least 1 query per minute.
Alerting:
- If the criteria are met, an alert is generated with details about the client, the domain queried, the number of queries, and the query rate.
- The alert is labeled as high severity due to its potential indication of malicious activity.
Use Cases:
- This query is particularly relevant for detecting C2 frameworks like Cobalt Strike, Silver, and Havoc, which use DNS for communication.
- It helps security teams identify potential threats and take action to investigate or mitigate them.
Output:
- The alert includes information about the host (client), its IP address, the domain being queried, and the frequency of queries.

Overall, this query helps in identifying automated and potentially malicious DNS activity that could signify a compromised system communicating with a threat actor's server.

KQL Search

02 DNS C2 Beaconing Periodic

Query

Explanation

Details

Actions