Query Details
Sentinel Threat Hunting DNS Tunneling
Query
// Threat Hunting DNS Tunneling // DNS tunneling is a method used by threat actors to encode non-DNS traffic within DNS packets. This technique allows data to bypass traditional network firewalls, creating covert channels for data exfiltration and infiltration. By centralizing your enterprise DNS logging and utilizing Microsoft Sentinel SIEM, you can leverage my Sentinel KQL (DnsEvents Schema) to hunt for DNS tunneling activities. Additionally, I’ve provided a DefenderXDR KQL for Microsoft Defender for Endpoint, which uses the DeviceEvents schema for DNS tunneling threat hunting. For further context, I’m sharing an article by Palo Alto Networks Unit42 that details a DNS tunneling campaign using DNS queries for tracking and data exfiltration, highlighting the importance of the threat hunting KQL I’ve shared. // DNS tunneling use either A records or TXT records for an infected host to receive data // To exfiltrate data to a C2 server, the DNS queries for infected host will spike with long queried hostname // Query 1 - Locate suspicious DNS tunneling host (ClientIP) let DNSHostnameLengthCheck = 40; DnsEvents | where TimeGenerated > ago(90d) | where SubType == "LookupQuery" | where QueryType=="A" or QueryType=="TXT" | where strlen(Name) > DNSHostnameLengthCheck | summarize DNSQueriedHost=dcount(Name), TotalQueryType=dcount(QueryType) by ClientIP | sort by TotalQueryType, DNSQueriedHost desc // Query 2 - Analyze suspected DNS tunneling top host from Query 1 by examining the DNS query in detail // Look for sample generated DNS request like below: // 0018786966.96428380.04.5E43287B03114C04A64F68C0C23E44F4.n.156.887.empty.6_1._t_i.3000.explorer_exe.156.rc2.a4h9uploading[.]com let DNSHostnameLengthCheck = 40; DnsEvents | where TimeGenerated > ago(90d) | where SubType == "LookupQuery" | where ClientIP == "10.10.10.10" // Replace top ClientIP from Query 1 | where strlen(Name) > DNSHostnameLengthCheck | distinct Name // MITRE ATT&CK MAPPING // Application Layer Protocol: DNS (T1071.004)
Explanation
This query is designed for threat hunting, specifically to identify potential DNS tunneling activities within a network. DNS tunneling is a technique used by attackers to hide non-DNS data within DNS packets, allowing them to bypass traditional network defenses and potentially exfiltrate or infiltrate data covertly.
Here's a simplified breakdown of the query:
-
Purpose: The query aims to detect suspicious DNS activities that might indicate DNS tunneling, a method used by attackers to secretly transfer data.
-
Query 1:
- Objective: Identify hosts (by their IP addresses) that might be involved in DNS tunneling.
- Method:
- It looks at DNS queries from the past 90 days.
- Focuses on DNS queries of type "A" or "TXT" with unusually long hostnames (more than 40 characters).
- Counts the number of unique DNS hostnames and query types for each client IP.
- Sorts the results to highlight IPs with the most DNS queries, which could indicate suspicious activity.
-
Query 2:
- Objective: Further investigate the top suspicious host identified in Query 1. - Method:
- Examines detailed DNS queries from the suspicious IP address.
- Looks for distinct, long DNS query names, which might be indicative of encoded data being transmitted.
- Objective: Further investigate the top suspicious host identified in Query 1. - Method:
-
Context:
- The query is part of a broader threat hunting strategy using Microsoft Sentinel and Microsoft Defender for Endpoint.
- It references a real-world example from Palo Alto Networks Unit42, emphasizing the relevance and importance of detecting DNS tunneling.
-
MITRE ATT&CK Mapping: The activity is mapped to the MITRE ATT&CK framework under "Application Layer Protocol: DNS (T1071.004)," which helps in understanding the technique used by attackers.
Overall, this query helps security analysts identify and investigate potential DNS tunneling activities, which could be a sign of malicious data exfiltration or infiltration.
Details
Steven Lim
Released: October 5, 2024
Tables
Keywords
Operators