Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DNSTunnel-Exfil.

Upgrade to Pro
THREAT-DNSTunnel-Exfil

DNS Tunneling for Covert Data Exfiltration

Exfiltration Last updated:

DNS tunneling encodes stolen data inside the query names (and occasionally TXT/NULL record responses) of DNS lookups, exploiting the fact that DNS is almost universally permitted outbound even in tightly filtered network environments. OilRig/APT34 has repeatedly built DNS-based communication into its custom malware families, using DNS resolution as both a C2 and exfiltration channel to survive proxy and firewall egress controls. FIN7 has used DNS tunneling against point-of-sale and retail environments where HTTP(S) egress was more tightly monitored than DNS. APT41 has deployed publicly available DNS tunneling frameworks such as dnscat2 during intrusions where direct HTTP(S) exfiltration was blocked. Commodity tooling in this space — iodine, dnscat2, DNSExfiltrator, and PacketWhisper — all share the same observable signature: large volumes of DNS queries for subdomains of an attacker-controlled domain, where the subdomain label itself is a base32/base64/hex-encoded chunk of stolen data, together with an abnormal skew toward TXT/NULL/CNAME query types and elevated NXDOMAIN rates (since many tunneling implementations use non-existent subdomains purely as a data-carrying vehicle). This detection deliberately focuses on DNS query-log analytics rather than endpoint process telemetry, since it catches tunneling traffic that a purely process-based detection would miss (e.g., DNS tunneling from a compromised network appliance, or malware that resolves names via direct socket calls rather than a monitored DNS client process) and is a good complement to the process-execution-based detections already covered on the parent T1048.003 page.

What is THREAT-DNSTunnel-Exfil DNS Tunneling for Covert Data Exfiltration?

DNS Tunneling for Covert Data Exfiltration (THREAT-DNSTunnel-Exfil) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for DNS Tunneling for Covert Data Exfiltration, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint (DeviceEvents — DNS query telemetry), DNS server analytical/debug logs, Recursive resolver query logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
// DNS tunneling detection using MDE DeviceEvents DNS telemetry
let LookbackWindow = 1h;
let MinLabelLength = 30; // long subdomain labels are the primary DNS-tunneling tell
let MinQueriesPerDomain = 50; // volume threshold for suspected tunneling over the window
DeviceEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType == "DnsQueryResponse"
| extend QueryName = tostring(parse_json(AdditionalFields).QueryName)
| extend QueryType = tostring(parse_json(AdditionalFields).QueryType)
| extend ResponseCode = tostring(parse_json(AdditionalFields).ResponseCode)
| where isnotempty(QueryName)
| extend Labels = split(QueryName, ".")
| extend LeftmostLabel = tostring(Labels[0])
| extend LeftmostLabelLength = strlen(LeftmostLabel)
| extend RegisteredDomain = strcat_array(array_slice(Labels, -2, -1), ".")
| summarize
    QueryCount = count(),
    UniqueSubdomains = dcount(QueryName),
    AvgLabelLength = avg(LeftmostLabelLength),
    MaxLabelLength = max(LeftmostLabelLength),
    TxtNullCnameCount = countif(QueryType in ("TXT", "NULL", "CNAME")),
    NxDomainCount = countif(ResponseCode =~ "NXDOMAIN"),
    Devices = make_set(DeviceName, 10)
  by RegisteredDomain, bin(Timestamp, 5m)
| where UniqueSubdomains >= MinQueriesPerDomain and AvgLabelLength >= MinLabelLength
| extend TunnelScore = (UniqueSubdomains / 10) + (AvgLabelLength / 5) + (TxtNullCnameCount * 2) + (NxDomainCount)
| sort by TunnelScore desc

Detects DNS tunneling by analysing DNS query telemetry (DeviceEvents ActionType == 'DnsQueryResponse') for the classic tunneling fingerprint: a high count of unique, long-labelled subdomains under a single parent domain within a short window, an elevated share of TXT/NULL/CNAME query types (the record types tunneling tools favour for higher per-query data capacity), and an elevated NXDOMAIN rate (many tunneling implementations do not require the queried name to resolve). DNS-specific fields are extracted from the AdditionalFields dynamic column. Tune MinLabelLength and MinQueriesPerDomain to your environment's baseline before enabling as a blocking alert.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint (DeviceEvents — DNS query telemetry) DNS server analytical/debug logs Recursive resolver query logs

Required Tables

DeviceEvents

False Positives

  • Content Delivery Networks and cloud services that legitimately use long, high-cardinality subdomains (e.g., certificate transparency-related lookups, some CDN edge routing) — baseline and allowlist known high-volume legitimate parent domains
  • Anti-malware and threat-intel feeds performing legitimate DNS sinkhole/reputation lookups against large domain lists
  • Software update mechanisms or telemetry clients that use per-device unique subdomains for rollout cohorting (some Microsoft and Google services do this) — allowlist known vendor domains
  • Email security gateways performing SPF/DKIM/DMARC TXT record lookups at volume, which can appear as elevated TXT query share

Sigma rule & cross-platform mapping

The detection logic for DNS Tunneling for Covert Data Exfiltration (THREAT-DNSTunnel-Exfil) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate DNS Tunneling Data Exfiltration via iodine

    Expected signal: DNS query logs showing a burst of long, base32-encoded subdomain queries against tunnel.testdomain.example with a high proportion of NULL/TXT query types.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-DNSTunnel-Exfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections