T1071.004 DNS Mappings

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1071.004 DNS
AC-4 Information Flow Enforcement Protects T1071.004 DNS
CA-7 Continuous Monitoring Protects T1071.004 DNS
CM-2 Baseline Configuration Protects T1071.004 DNS
CM-6 Configuration Settings Protects T1071.004 DNS
CM-7 Least Functionality Protects T1071.004 DNS
SC-10 Network Disconnect Protects T1071.004 DNS
SC-20 Secure Name/address Resolution Service (authoritative Source) Protects T1071.004 DNS
SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver) Protects T1071.004 DNS
SC-22 Architecture and Provisioning for Name/address Resolution Service Protects T1071.004 DNS
SC-23 Session Authenticity Protects T1071.004 DNS
SC-31 Covert Channel Analysis Protects T1071.004 DNS
SC-37 Out-of-band Channels Protects T1071.004 DNS
SC-7 Boundary Protection Protects T1071.004 DNS
SI-10 Information Input Validation Protects T1071.004 DNS
SI-15 Information Output Filtering Protects T1071.004 DNS
SI-3 Malicious Code Protection Protects T1071.004 DNS
SI-4 System Monitoring Protects T1071.004 DNS
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1071.004 Application Layer Protocol: DNS
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071.004 Application Layer Protocol: DNS
action.malware.variety.Unknown Unknown related-to T1071.004 Application Layer Protocol: DNS