Skip to content

DET0400 Behavioral Detection of DNS Tunneling and Application Layer Abuse

Item Value
ID DET0400
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1071.004 (DNS)

Analytics

Windows

AN1121

Detects high-frequency or anomalous DNS queries initiated by non-browser, non-system processes (e.g., PowerShell, rundll32, python.exe) used to establish command and control via DNS tunneling.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Network Traffic Content (DC0085) NSM:Flow dns.log
Mutable Elements
Field Description
QueryLengthThreshold Subdomain length for detecting base32/base64-encoded payloads
ProcessImageFilter Flag non-standard executables making DNS queries
TimeWindow Rate of queries in short interval per process

Linux

AN1122

Detects local daemons or scripts generating outbound DNS queries with long or frequent subdomains, indicative of DNS tunneling via tools like iodine, dnscat2, or dig from cronjobs or reverse shells.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow dns.log
Mutable Elements
Field Description
SubdomainEntropyScore Detects encoded payloads or randomness in DNS labels
DaemonAllowList Allowlisted system daemons expected to perform frequent lookups

macOS

AN1123

Detects scripting environments (AppleScript, osascript, curl) or non-native tools performing DNS queries with encoded subdomains, often used for data exfiltration or beaconing.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:unifiedlog log stream ‘eventMessage contains “dns_request”’
Mutable Elements
Field Description
EntropyThreshold Tunable threshold for randomness in subdomain labels
UncommonProcessContext Filters on user-launched or cron-based queries

Network Devices

AN1124

Detects clients issuing DNS queries with high volume, long subdomain lengths, encoded payload patterns, or to known malicious infrastructure; indicative of DNS-based C2 channels.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow dns.log
Mutable Elements
Field Description
DomainReputationFeed List of suspicious/malicious C2 domains
QueryRatePerClient Tunable burst rate per IP per second

ESXi

AN1125

Detects unusual outbound DNS traffic from ESXi hosts, often from shell scripts, custom daemons, or malicious VIBs interacting with external DNS infrastructure outside the management plane.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:syslog /var/log/syslog.log
Network Traffic Content (DC0085) NSM:FLow dns.log
Mutable Elements
Field Description
OutboundDNSVolume Threshold for data volume and frequency from ESXi IPs
KnownGoodVIBs Baseline known packages for allowlist comparison