KQL Search

Query Details

08 DNS Data Exfil Long Labels

Query

id: a1b2c3d4-0008-4a5b-8c9d-dns008exfil
name: DNS Data Exfiltration via Long Subdomain Labels
description: |
  Detects data exfiltration over DNS by identifying queries containing
  abnormally long subdomain labels. Attackers encode data (base64, hex)
  into DNS subdomain labels to exfiltrate files and credentials.
  Each DNS label supports up to 63 characters; legitimate domains almost
  never use labels longer than 30–35 characters. Tunneling tools such as
  iodine, dnscat2, and custom scripts split encoded payload data into
  255-char TXT chunks or 63-char subdomain labels.
  A single client exfiltrating >100KB via DNS in 24h is a strong indicator.
  MITRE T1048.003 — Exfiltration over Unencrypted/Obfuscated Non-C2 Protocol
  Differentiation from built-in "Potential DNS Tunnel (ASIM DNS)":
  The built-in uses per-query length thresholds. This rule aggregates label
  sizes across all queries per client over 24h to estimate total exfiltrated
  bytes (EstimatedKB). This volume-based approach catches low-and-slow exfil
  that uses moderately long labels (staying under per-query thresholds) but
  accumulates significant data transfer over time.
severity: High
requiredDataConnectors:
  - connectorId: WindowsDnsAma
    dataTypes:
      - ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 24h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Exfiltration
  - CommandAndControl
relevantTechniques:
  - T1048.003
  - T1071.004
tags:
  - DNS Exfiltration
  - Data over DNS
  - iodine
  - dnscat2
  - APT32
  - Turla
query: |
  ASimDnsActivityLogs
  | where TimeGenerated > ago(24h)
  | extend Labels = split(DnsQuery, ".")
  | extend
      Label0    = tostring(Labels[0]),
      Label1    = tostring(Labels[1]),
      Label2    = tostring(Labels[2])
  | extend MaxLabelLen = max_of(strlen(Label0), strlen(Label1), strlen(Label2))
  | where MaxLabelLen > 35
  | extend QuerySize = strlen(DnsQuery)
  | summarize
      TotalQueries   = count(),
      EstimatedBytes = sum(QuerySize),
      MaxLabelSeen   = max(MaxLabelLen),
      AvgLabelLen    = round(avg(MaxLabelLen), 1),
      SampleDomains  = make_set(DnsQuery, 10),
      FirstSeen      = min(TimeGenerated),
      LastSeen       = max(TimeGenerated)
    by SrcIpAddr, SrcHostname
  | extend EstimatedKB = round(todouble(EstimatedBytes) / 1024.0, 1)
  | where EstimatedKB > 50
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: SrcHostname
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIpAddr
alertDetailsOverride:
  alertDisplayNameFormat: "DNS Exfiltration — {{SrcHostname}} sent ~{{EstimatedKB}}KB via long subdomain labels"
  alertDescriptionFormat: "{{SrcHostname}} ({{SrcIpAddr}}) sent {{TotalQueries}} queries with long subdomain labels (max {{MaxLabelSeen}} chars, avg {{AvgLabelLen}}). Estimated data volume: ~{{EstimatedKB}}KB. Sample domains: {{SampleDomains}}"
customDetails:
  EstimatedKB: EstimatedKB
  MaxLabelSeen: MaxLabelSeen
  TotalQueries: TotalQueries

Explanation

This query is designed to detect potential data exfiltration through DNS queries by identifying unusually long subdomain labels. Here's a simplified breakdown:

  1. Purpose: The query aims to spot data being secretly sent out (exfiltrated) using DNS queries. Attackers might encode data into DNS subdomain labels to sneak it out, as DNS labels can be up to 63 characters long, but legitimate domains rarely use labels longer than 30-35 characters.

  2. Detection Method:

    • The query looks at DNS activity logs from the past 24 hours.
    • It splits DNS queries into their subdomain parts and checks the length of each part.
    • If any part is longer than 35 characters, it flags it as suspicious.
    • It aggregates data to estimate the total amount of data sent by each client over 24 hours.

  3. Indicators:

    • A client sending more than 100KB of data via DNS in a day is considered a strong indicator of exfiltration.
    • The query calculates the total number of queries, the estimated data volume in kilobytes, the longest label seen, and the average label length.

  4. Alerting:

    • If a client is found to have sent more than 50KB of data using long subdomain labels, an alert is triggered.
    • The alert includes details like the hostname, IP address, number of queries, maximum and average label lengths, estimated data volume, and sample domains.

  5. Relevance:

    • This method is effective in catching "low-and-slow" data exfiltration attempts that might not be detected by other means.
    • It aligns with MITRE ATT&CK techniques for exfiltration over unencrypted or obfuscated non-command-and-control protocols.

Overall, this query helps identify potential security breaches where data is being exfiltrated using DNS queries with unusually long subdomain labels.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressSubdomainLabelsQueriesDataExfiltration

Operators

ASimDnsActivityLogswhereextendsplittostringmax_ofstrlensummarizecountsummaxavgroundmake_setminmaxbytodouble

Actions