Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_sentinel | Azure Sentinel | technique_scores | T1071.004 | DNS |
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious use of DNS: "RareDNSLookupWithDataTransfer" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. "Abnormally Long DNS URI queries" can identify suspicious DNS queries that may be indicative of command and control operations. "DNS - domain anomalous lookup increase", "DNS Full Name anomalous lookup increase", and "DNS lookups for commonly abused TLDs" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1071.004 | DNS |
Comments
This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.
References
|
azure_policy | Azure Policy | technique_scores | T1071.004 | DNS |
Comments
This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.
References
|
azure_alerts_for_network_layer | Azure Alerts for Network Layer | technique_scores | T1071.004 | DNS |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
azure_dns_analytics | Azure DNS Analytics | technique_scores | T1071.004 | DNS |
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts.
References
|
alerts_for_dns | Alerts for DNS | technique_scores | T1071.004 | DNS |
Comments
Can alert on anomalies and misuse of the DNS protocol.
References
|
azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1071.004 | DNS |
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
|