Query Details

DNS Data Exfiltration via Long Subdomain Labels

08 DNS Data Exfil Long Labels

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(24h)
| extend Labels = split(DnsQuery, ".")
| extend
    Label0    = tostring(Labels[0]),
    Label1    = tostring(Labels[1]),
    Label2    = tostring(Labels[2])
| extend MaxLabelLen = max_of(strlen(Label0), strlen(Label1), strlen(Label2))
| where MaxLabelLen > 35
| extend QuerySize = strlen(DnsQuery)
| summarize
    TotalQueries   = count(),
    EstimatedBytes = sum(QuerySize),
    MaxLabelSeen   = max(MaxLabelLen),
    AvgLabelLen    = round(avg(MaxLabelLen), 1),
    SampleDomains  = make_set(DnsQuery, 10),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by SrcIpAddr, SrcHostname
| extend EstimatedKB = round(todouble(EstimatedBytes) / 1024.0, 1)
| where EstimatedKB > 50

Explanation

This query is designed to detect potential data exfiltration through DNS queries by identifying unusually long subdomain labels. Here's a simplified breakdown:

  1. Purpose: The query aims to spot data being secretly sent out (exfiltrated) using DNS queries. Attackers might encode data into DNS subdomain labels to sneak it out, as DNS labels can be up to 63 characters long, but legitimate domains rarely use labels longer than 30-35 characters.

  2. Detection Method:

    • The query looks at DNS activity logs from the past 24 hours.
    • It splits DNS queries into their subdomain parts and checks the length of each part.
    • If any part is longer than 35 characters, it flags it as suspicious.
    • It aggregates data to estimate the total amount of data sent by each client over 24 hours.
  3. Indicators:

    • A client sending more than 100KB of data via DNS in a day is considered a strong indicator of exfiltration.
    • The query calculates the total number of queries, the estimated data volume in kilobytes, the longest label seen, and the average label length.
  4. Alerting:

    • If a client is found to have sent more than 50KB of data using long subdomain labels, an alert is triggered.
    • The alert includes details like the hostname, IP address, number of queries, maximum and average label lengths, estimated data volume, and sample domains.
  5. Relevance:

    • This method is effective in catching "low-and-slow" data exfiltration attempts that might not be detected by other means.
    • It aligns with MITRE ATT&CK techniques for exfiltration over unencrypted or obfuscated non-command-and-control protocols.

Overall, this query helps identify potential security breaches where data is being exfiltrated using DNS queries with unusually long subdomain labels.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressSubdomainLabelsQueriesDataExfiltration

Operators

ASimDnsActivityLogswhereextendsplittostringmax_ofstrlensummarizecountsummaxavgroundmake_setminbytodouble

Severity

High

Tactics

ExfiltrationCommandAndControl

MITRE Techniques

Frequency: 1h

Period: 24h

Actions

GitHub