Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DNSTunneling-Exfiltration.
Upgrade to ProDetect Data Exfiltration via DNS Tunneling Tools in IBM QRadar
Adversaries who cannot or will not exfiltrate over HTTP/S turn to DNS tunneling — encoding stolen data into the subdomain labels of outbound DNS queries and relying on an adversary-controlled authoritative nameserver to reassemble it. Because DNS is almost never blocked at the perimeter and is rarely inspected payload-by-payload, tools such as iodine, dnscat2, dns2tcp, DNSExfiltrator, and Cobalt Strike's DNS beacon can move stolen files, credential dumps, and keystrokes out of even tightly firewalled networks a few dozen bytes at a time. OilRig/APT34 has repeatedly used custom DNS tunneling malware (Helminth, DNSpionage) against Middle Eastern targets, and DNS-based exfiltration is a standard feature of numerous commodity C2 frameworks. The technique is distinct from generic 'Exfiltration Over C2 Channel' (T1041) because the DNS tunnel is frequently a dedicated side-channel independent of the primary C2 protocol, and from the base T1048.003 record because tunneling tools have identifiable protocol fingerprints (query volume, label entropy, label-length skew) beyond simple unencrypted-protocol abuse.
MITRE ATT&CK
- Tactic
- Exfiltration
QRadar Detection Query
SELECT
"DNS Query Domain" AS ApexDomain,
hostname AS Hostname,
username AS User,
COUNT(*) AS QueryCount,
UNIQUECOUNT("DNS Query Name") AS UniqueLabels,
AVG(LENGTH("DNS Query Name")) AS AvgQueryNameLen
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Sysmon', 'Infoblox NIOS', 'BIND DNS Server')
AND LENGTH("DNS Query Name") >= 30
AND starttime > NOW() - 86400000
GROUP BY "DNS Query Domain", hostname, username
HAVING COUNT(*) >= 50 AND UNIQUECOUNT("DNS Query Name") >= 40
ORDER BY QueryCount DESC QRadar AQL aggregation query implementing the DNS tunneling volumetric scoring model over Sysmon Event ID 22 or DNS server (Infoblox/BIND) log sources. Requires 'DNS Query Name' (full query name) and 'DNS Query Domain' (apex/registered domain) Custom Event Properties extracted via a Universal DSM regex or the vendor DSM's native DNS field mapping. Flags apex-domain/host/user groups with 50+ long query-name events and near-1:1 unique-label cardinality.
Data Sources
Required Tables
False Positives & Tuning
- CDN/cloud edge hostnames with legitimately long, high-entropy subdomain labels — build a QRadar reference set of known-good apex domains and exclude them from ApexDomain
- DNS-based service discovery or load-balancing systems (Consul, Kubernetes DNS) issuing high query volumes with structured labels
Other platforms for THREAT-DNSTunneling-Exfiltration
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated DNS Tunneling via Base32-Encoded Subdomain Query Burst
Expected signal: Sysmon Event ID 22 (DNS Query): 40 events with QueryName first-labels of 25-30 characters (Base64-derived), resolving against the internal test apex domain, initiated by powershell.exe. The queries will fail to resolve (no authoritative server configured) but the query attempt itself generates the required telemetry.
- Test 2High-Frequency Long-Label DNS Query Burst via nslookup
Expected signal: Sysmon Event ID 22: 25 DNS query events for nslookup.exe with 28-character random alphanumeric first labels at ~2-second intervals against the same test apex domain. Windows DNS Client operational log may also capture the resolution attempts.
References (7)
- https://attack.mitre.org/techniques/T1048/003/
- https://attack.mitre.org/techniques/T1041/
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://github.com/yarrick/iodine
- https://github.com/iagox86/dnscat2
- https://www.mandiant.com/resources/blog/dnspionage-brings-new-tools
- https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-DNSTunneling-Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (2)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-DNSTunnel-ExfilDNS Tunneling for Covert Data ExfiltrationUse for network-side DNS visibility — Zeek/Infoblox resolver logs and pcap; catches tunneling from hosts with no endpoint agent.
- THREAT-Exfiltration-ICMPTunnelData Exfiltration via ICMP TunnelingUse when the carrier is ICMP rather than DNS — pairs ping/tunneler process flags with firewall, NetFlow or Zeek ICMP records, which EDR network telemetry does not log.