Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DNSTunneling-Exfiltration.

Upgrade to Pro
THREAT-DNSTunneling-Exfiltration Splunk · SPL

Detect Data Exfiltration via DNS Tunneling Tools in Splunk

Adversaries who cannot or will not exfiltrate over HTTP/S turn to DNS tunneling — encoding stolen data into the subdomain labels of outbound DNS queries and relying on an adversary-controlled authoritative nameserver to reassemble it. Because DNS is almost never blocked at the perimeter and is rarely inspected payload-by-payload, tools such as iodine, dnscat2, dns2tcp, DNSExfiltrator, and Cobalt Strike's DNS beacon can move stolen files, credential dumps, and keystrokes out of even tightly firewalled networks a few dozen bytes at a time. OilRig/APT34 has repeatedly used custom DNS tunneling malware (Helminth, DNSpionage) against Middle Eastern targets, and DNS-based exfiltration is a standard feature of numerous commodity C2 frameworks. The technique is distinct from generic 'Exfiltration Over C2 Channel' (T1041) because the DNS tunnel is frequently a dedicated side-channel independent of the primary C2 protocol, and from the base T1048.003 record because tunneling tools have identifiable protocol fingerprints (query volume, label entropy, label-length skew) beyond simple unencrypted-protocol abuse.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval Labels=split(QueryName, ".")
| eval FirstLabel=mvindex(Labels, 0)
| eval FirstLabelLen=len(FirstLabel)
| eval LabelCount=mvcount(Labels)
| eval ApexDomain=mvindex(Labels, LabelCount-2) . "." . mvindex(Labels, LabelCount-1)
| where FirstLabelLen >= 20
| stats
    count as QueryCount,
    dc(FirstLabel) as UniqueLabels,
    avg(FirstLabelLen) as AvgLabelLen,
    max(FirstLabelLen) as MaxLabelLen,
    values(FirstLabel) as SampleLabels
    by host, User, Image, ApexDomain
| eval IsHighVolume=if(QueryCount>=50, 1, 0)
| eval IsHighCardinality=if(UniqueLabels>=40, 1, 0)
| eval IsLongLabelSkewed=if(AvgLabelLen>=28, 1, 0)
| eval TunnelScore=IsHighVolume+IsHighCardinality+IsLongLabelSkewed
| where TunnelScore>=2
| table host, User, Image, ApexDomain, QueryCount, UniqueLabels, AvgLabelLen, MaxLabelLen, SampleLabels, TunnelScore
| sort - TunnelScore, - QueryCount
high severity medium confidence

Splunk equivalent of the DNS tunneling scoring model, built on Sysmon Event ID 22 (DNS Query). Sysmon's DNS query event only exposes QueryName, QueryStatus, and the initiating Image — it has no query-type (A/TXT/NULL) field, so unlike record-type-based Sigma rules this query buckets queries by host/process/apex-domain and scores on label-length statistics: query volume, label cardinality, and average first-label length skewed toward the DNS label maximum. Flags groups where at least two of three fingerprints are present.

Data Sources

Sysmon Event ID 22 (DNS Query)DNS server query logs (BIND, Windows DNS debug logging)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • CDN/cloud edge hostnames with legitimately long, high-entropy subdomain labels
  • DNS-based service discovery or load-balancing systems issuing high query volumes
  • Anti-spam DNSBL/RBL reputation lookups against a small set of apex domains

Other platforms for THREAT-DNSTunneling-Exfiltration


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated DNS Tunneling via Base32-Encoded Subdomain Query Burst

    Expected signal: Sysmon Event ID 22 (DNS Query): 40 events with QueryName first-labels of 25-30 characters (Base64-derived), resolving against the internal test apex domain, initiated by powershell.exe. The queries will fail to resolve (no authoritative server configured) but the query attempt itself generates the required telemetry.

  2. Test 2High-Frequency Long-Label DNS Query Burst via nslookup

    Expected signal: Sysmon Event ID 22: 25 DNS query events for nslookup.exe with 28-character random alphanumeric first labels at ~2-second intervals against the same test apex domain. Windows DNS Client operational log may also capture the resolution attempts.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-DNSTunneling-Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections