T1071.004 Google Chronicle · YARA-L

Detect DNS in Google Chronicle

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. DNS beaconing may be used to send commands to remote systems via DNS queries. The commands may be embedded into different DNS records, for example, TXT or A records.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1071 Application Layer Protocol
Sub-technique
T1071.004 DNS
Canonical reference
https://attack.mitre.org/techniques/T1071/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule dns_tunneling_long_subdomain_t1071_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DNS tunneling via high-volume long subdomain queries (T1071.004)"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1071.004"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    $e.network.dns.questions.type in (
      "TXT", "NULL", "CNAME", "MX", "A", "AAAA"
    )
    (
      re.regex($e.network.dns.questions.name, `.{50,}`) or
      re.regex($e.network.dns.questions.name, `(?:[^.]+[.]){5,}`)
    )
    $src_ip = $e.principal.ip
    $top_domain = re.capture(
      $e.network.dns.questions.name,
      `[^.]+[.][^.]+$`
    )

  match:
    $src_ip, $top_domain over 24h

  outcome:
    $query_count = count($e.metadata.id)
    $unique_subdomains = count_distinct($e.network.dns.questions.name)
    $max_domain_length = max(length($e.network.dns.questions.name))
    $tunnel_confidence = if(
      $unique_subdomains > 100 and $max_domain_length > 60, "high",
      if($unique_subdomains > 50 and $max_domain_length > 50, "high", "medium")
    )

  condition:
    #e > 20 and $unique_subdomains > 10
}
high severity medium confidence

YARA-L 2.0 detection rule for Google Chronicle SecOps that identifies DNS tunneling (T1071.004) by detecting source IPs making high volumes of DNS queries with anomalously long subdomain names. Aggregates UDM NETWORK_DNS events over 24-hour sliding windows grouped by source IP and registered apex domain. Triggers when a host exceeds 20 matching queries with more than 10 unique long subdomains — a threshold combination that distinguishes tunneling from normal CDN and update traffic patterns.

Data Sources

Google Chronicle UDM (NETWORK_DNS events)DNS forwarder logs ingested via Chronicle Ingestion APIPalo Alto Networks DNS Security logs forwarded to ChronicleCisco Umbrella logs via Chronicle connectorInfoblox NIOS via Chronicle connector

Required Tables

UDM events with metadata.event_type = NETWORK_DNS

False Positives & Tuning

  • Google and Akamai DNS-based load balancing infrastructure generates long unique subdomain sequences from corporate client IPs — known CDN and cloud provider apex domains should be excluded via a reference list in the rule's events section
  • Automated certificate management tooling (ACME DNS-01 validation via cert-manager or acme.sh) creates distinct long TXT record queries from CI/CD pipeline or Kubernetes controller IPs during certificate issuance
  • Enterprise EDR and XDR solutions beaconing to cloud telemetry endpoints using device-specific encoded hostnames produce the long-unique-subdomain signature from endpoint IP addresses at scale
Download portable Sigma rule (.yml)

Other platforms for T1071.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS TXT Record Tunneling Simulation

    Expected signal: DNS query logs showing 20 TXT record queries to unique subdomains under c2test.localhost with base32-encoded subdomain prefixes. Sysmon Event ID 22 (if available) showing dig process making DNS queries.

  2. Test 2DNS Beaconing via nslookup

    Expected signal: Sysmon Event ID 22: DNS Query for each nslookup execution with QueryName containing COMPUTERNAME and random values under beacon.localhost. Sysmon Event ID 1: nslookup.exe process creation. 10 queries at 5-second intervals.

  3. Test 3High-Volume DNS Query Burst

    Expected signal: DNS query logs showing 100 A record queries to unique 30-character random subdomains under exfil.localhost in rapid succession. Total estimated data capacity: ~3KB encoded in subdomain labels.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1071.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.001Web ProtocolsT1071.002File Transfer ProtocolsT1071.003Mail ProtocolsT1071.005Publish/Subscribe Protocols

Related Techniques

T1071Application Layer ProtocolT1572Protocol TunnelingT1568.002Domain Generation AlgorithmsT1568.001Fast Flux DNST1132.001Standard EncodingT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1568Dynamic Resolution

Same Tactic: Command and Control

Popular Detections