T1071.004 DNS Mappings

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1071.004 DNS
AC-4 Information Flow Enforcement Protects T1071.004 DNS
CA-7 Continuous Monitoring Protects T1071.004 DNS
CM-2 Baseline Configuration Protects T1071.004 DNS
CM-6 Configuration Settings Protects T1071.004 DNS
CM-7 Least Functionality Protects T1071.004 DNS
SC-10 Network Disconnect Protects T1071.004 DNS
SC-20 Secure Name/address Resolution Service (authoritative Source) Protects T1071.004 DNS
SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver) Protects T1071.004 DNS
SC-22 Architecture and Provisioning for Name/address Resolution Service Protects T1071.004 DNS
SC-23 Session Authenticity Protects T1071.004 DNS
SC-31 Covert Channel Analysis Protects T1071.004 DNS
SC-37 Out-of-band Channels Protects T1071.004 DNS
SC-7 Boundary Protection Protects T1071.004 DNS
SI-10 Information Input Validation Protects T1071.004 DNS
SI-15 Information Output Filtering Protects T1071.004 DNS
SI-3 Malicious Code Protection Protects T1071.004 DNS
SI-4 System Monitoring Protects T1071.004 DNS
azure_sentinel Azure Sentinel technique_scores T1071.004 DNS
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1071.004 DNS
azure_policy Azure Policy technique_scores T1071.004 DNS
azure_alerts_for_network_layer Azure Alerts for Network Layer technique_scores T1071.004 DNS
azure_dns_analytics Azure DNS Analytics technique_scores T1071.004 DNS
alerts_for_dns Alerts for DNS technique_scores T1071.004 DNS
azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1071.004 DNS