T1071.004 DNS

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1071.004 DNS
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.IR-01.02 Network device configurations Mitigates T1071.004 DNS
    Comments
    This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols.
    References
      DE.CM-01.01 Intrusion detection and prevention Mitigates T1071.004 DNS
      Comments
      This diagnostic statement protects against adversaries that may try to utilize DNS protocol to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
      References
        PR.IR-04.01 Utilization monitoring Mitigates T1071.004 DNS
        Comments
        This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
        References
          PR.IR-01.03 Network communications integrity and availability Mitigates T1071.004 DNS
          Comments
          This diagnostic statement protects against DNS through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
          References
            PR.PS-01.08 End-user device protection Mitigates T1071.004 DNS
            Comments
            This diagnostic statement protects against DNS through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
            References

              NIST 800-53 Mappings

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Other Other related-to T1071.004 DNS

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              alerts_for_azure_network_layer Alerts for Azure Network Layer technique_scores T1071.004 DNS
              Comments
              This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
              References
              alerts_for_dns Alerts for DNS technique_scores T1071.004 DNS
              Comments
              Can alert on anomalies and misuse of the DNS protocol.
              References
              azure_dns_analytics Azure DNS Analytics technique_scores T1071.004 DNS
              Comments
              This control can be used forensically to identify clients that communicated with identified C2 hosts.
              References
              azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1071.004 DNS
              Comments
              This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
              References
              azure_policy Azure Policy technique_scores T1071.004 DNS
              Comments
              This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.
              References

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              security_command_center Security Command Center technique_scores T1071.004 DNS
              Comments
              SCC is able to ingest Cloud DNS logs and detect DNS queries that could indicate active Log4j vulnerable to remote code execution. Because of the near-real time temporal factor for detection this control was graded as significant.
              References

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              amazon_guardduty Amazon GuardDuty technique_scores T1071.004 DNS
              Comments
              GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation
              References
                aws_network_firewall AWS Network Firewall technique_scores T1071.004 DNS
                Comments
                AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.
                References