Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DNSTunneling-Exfiltration.

Upgrade to Pro
THREAT-DNSTunneling-Exfiltration

Data Exfiltration via DNS Tunneling Tools

Exfiltration Last updated:

Adversaries who cannot or will not exfiltrate over HTTP/S turn to DNS tunneling — encoding stolen data into the subdomain labels of outbound DNS queries and relying on an adversary-controlled authoritative nameserver to reassemble it. Because DNS is almost never blocked at the perimeter and is rarely inspected payload-by-payload, tools such as iodine, dnscat2, dns2tcp, DNSExfiltrator, and Cobalt Strike's DNS beacon can move stolen files, credential dumps, and keystrokes out of even tightly firewalled networks a few dozen bytes at a time. OilRig/APT34 has repeatedly used custom DNS tunneling malware (Helminth, DNSpionage) against Middle Eastern targets, and DNS-based exfiltration is a standard feature of numerous commodity C2 frameworks. The technique is distinct from generic 'Exfiltration Over C2 Channel' (T1041) because the DNS tunnel is frequently a dedicated side-channel independent of the primary C2 protocol, and from the base T1048.003 record because tunneling tools have identifiable protocol fingerprints (query volume, label entropy, label-length skew) beyond simple unencrypted-protocol abuse.

What is THREAT-DNSTunneling-Exfiltration Data Exfiltration via DNS Tunneling Tools?

Data Exfiltration via DNS Tunneling Tools (THREAT-DNSTunneling-Exfiltration) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Exfiltration via DNS Tunneling Tools, covering the data sources and telemetry it touches: Network Traffic: Network Traffic Content, DNS Server: DNS Traffic, Microsoft Defender for Endpoint (DeviceDnsEvents). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let LookbackWindow = 24h;
let MinQueriesPerApex = 50; // Tunneling tools issue dozens-to-hundreds of queries per file
let MinLabelLen = 20; // encoded chunks are long, unlike normal hostnames
let MinAvgLabelLen = 28; // tunneling tools pack labels close to the 63-byte DNS label ceiling to maximize payload-per-query
DeviceDnsEvents
| where Timestamp > ago(LookbackWindow)
| where isnotempty(QueryName)
// NOTE: DeviceDnsEvents has no record-type (A/TXT/NULL) column, so this model
// relies on volume, label cardinality, and label-length skew only.
| extend Labels = split(QueryName, ".")
| extend FirstLabel = tostring(Labels[0])
| extend FirstLabelLen = strlen(FirstLabel)
| extend ApexDomain = strcat(tostring(Labels[array_length(Labels) - 2]), ".", tostring(Labels[array_length(Labels) - 1]))
| where FirstLabelLen >= MinLabelLen
| summarize
    QueryCount = count(),
    UniqueLabels = dcount(FirstLabel),
    AvgLabelLen = avg(FirstLabelLen),
    MaxLabelLen = max(FirstLabelLen),
    SampleLabels = make_set(FirstLabel, 5),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, ApexDomain
| extend IsHighVolume = QueryCount >= MinQueriesPerApex
| extend IsHighCardinality = UniqueLabels >= (MinQueriesPerApex * 0.8) // near-1:1 label:query ratio == data-bearing, not caching
| extend IsLongLabelSkewed = AvgLabelLen >= MinAvgLabelLen
| extend TunnelScore = tolong(IsHighVolume) + tolong(IsHighCardinality) + tolong(IsLongLabelSkewed)
| where TunnelScore >= 2
| project FirstSeen, LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
    ApexDomain, QueryCount, UniqueLabels, AvgLabelLen, MaxLabelLen,
    SampleLabels, TunnelScore
| sort by TunnelScore desc, QueryCount desc

Detects DNS tunneling exfiltration by grouping DNS queries per device/process/apex-domain and scoring three fingerprints of tunneling tools (iodine, dnscat2, dns2tcp, DNSExfiltrator): (1) high query volume to a single apex domain, (2) near-1:1 ratio of unique first-labels to total queries — meaning each query carries a distinct data chunk rather than repeating a cached name, and (3) a first-label length skewed toward the maximum, indicating labels are packed with encoded payload rather than a normal hostname. A composite score of 2+ across an ApexDomain/device pair triggers the alert. DeviceDnsEvents does not expose a DNS record-type column, so this model intentionally does not attempt to key on TXT/NULL record skew.

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content DNS Server: DNS Traffic Microsoft Defender for Endpoint (DeviceDnsEvents)

Required Tables

DeviceDnsEvents

False Positives

  • CDN and cloud-service hostnames that legitimately use long, high-entropy subdomain labels (e.g. S3 pre-signed URLs, Akamai edge hostnames, Zoom/Teams media relay FQDNs)
  • Security and observability tooling that piggybacks telemetry over DNS queries (some EDR agents, some DNS-based threat-intel feeds)
  • Legitimate DNS-based load balancing or service discovery (Consul, some Kubernetes DNS setups) that issues high query volumes with structured but high-entropy-looking labels
  • Anti-spam DNSBL/RBL lookups, which can generate high query volume with encoded-looking labels (reversed IP octets) against a small set of apex domains

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration via DNS Tunneling Tools (THREAT-DNSTunneling-Exfiltration) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated DNS Tunneling via Base32-Encoded Subdomain Query Burst

    Expected signal: Sysmon Event ID 22 (DNS Query): 40 events with QueryName first-labels of 25-30 characters (Base64-derived), resolving against the internal test apex domain, initiated by powershell.exe. The queries will fail to resolve (no authoritative server configured) but the query attempt itself generates the required telemetry.

  2. Test 2High-Frequency Long-Label DNS Query Burst via nslookup

    Expected signal: Sysmon Event ID 22: 25 DNS query events for nslookup.exe with 28-character random alphanumeric first labels at ~2-second intervals against the same test apex domain. Windows DNS Client operational log may also capture the resolution attempts.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-DNSTunneling-Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections