Detect DNS in Sumo Logic CSE
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. DNS beaconing may be used to send commands to remote systems via DNS queries. The commands may be embedded into different DNS records, for example, TXT or A records.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Sub-technique
- T1071.004 DNS
- Canonical reference
- https://attack.mitre.org/techniques/T1071/004/
Sumo Detection Query
_sourceCategory=*dns* OR _sourceCategory=*network/dns*
| where type in ("TXT", "NULL", "CNAME", "MX", "A", "AAAA")
| eval domain_length = length(query_name)
| eval subdomain_count = length(query_name) - length(replace(query_name, ".", ""))
| where domain_length > 50 OR subdomain_count > 5
| parse regex field=query_name "(?:[^.]+[.])*(?<top_domain>[^.]+[.][^.]+)$"
| count as QueryCount, count_distinct(query_name) as UniqueSubdomains, avg(domain_length) as AvgDomainLength, max(domain_length) as MaxDomainLength by src_ip, top_domain
| where QueryCount > 20 AND UniqueSubdomains > 10 AND AvgDomainLength > 40
| eval TunnelConfidence = if(UniqueSubdomains > 100 AND AvgDomainLength > 60, "high", if(UniqueSubdomains > 50 AND AvgDomainLength > 50, "high", "medium"))
| eval BytesEstimate = round(UniqueSubdomains * (AvgDomainLength - length(top_domain) - 1))
| fields src_ip, top_domain, QueryCount, UniqueSubdomains, AvgDomainLength, MaxDomainLength, TunnelConfidence, BytesEstimate
| sort by QueryCount descDetects DNS tunneling (T1071.004) in Sumo Logic by aggregating DNS query log events over the search time range. Extracts the registered apex domain from each query FQDN, then computes per-source-IP statistics including query count, unique subdomain count, and average domain length. A BytesEstimate field provides a rough heuristic for encoded data volume transferred through the suspected tunnel, useful for prioritisation during triage.
Data Sources
Required Tables
False Positives & Tuning
- Cloud storage providers encode bucket names, request IDs, or routing tokens in subdomains — large enterprises querying AWS S3 presigned URL domains or Azure Blob Storage FQDNs will regularly exceed both length and uniqueness thresholds
- ACME certificate renewal systems performing DNS-01 challenges create one-time long TXT record queries per domain per renewal cycle, generating bursts from web server or automation pipeline IPs
- Network vulnerability scanners and DNS brute-force enumeration tools performing subdomain discovery against internal zones produce high volumes of unique subdomain queries from scanner IPs that match all detection thresholds
Other platforms for T1071.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS TXT Record Tunneling Simulation
Expected signal: DNS query logs showing 20 TXT record queries to unique subdomains under c2test.localhost with base32-encoded subdomain prefixes. Sysmon Event ID 22 (if available) showing dig process making DNS queries.
- Test 2DNS Beaconing via nslookup
Expected signal: Sysmon Event ID 22: DNS Query for each nslookup execution with QueryName containing COMPUTERNAME and random values under beacon.localhost. Sysmon Event ID 1: nslookup.exe process creation. 10 queries at 5-second intervals.
- Test 3High-Volume DNS Query Burst
Expected signal: DNS query logs showing 100 A record queries to unique 30-character random subdomains under exfil.localhost in rapid succession. Total estimated data capacity: ~3KB encoded in subdomain labels.
References (7)
- https://attack.mitre.org/techniques/T1071/004/
- https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
- https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000
- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md
- https://github.com/iagox86/dnscat2
- https://github.com/yarrick/iodine
Unlock Pro Content
Get the full detection package for T1071.004 including response playbook, investigation guide, and atomic red team tests.