T1071.004 DNS Mappings

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_sentinel Azure Sentinel technique_scores T1071.004 DNS
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious use of DNS: "RareDNSLookupWithDataTransfer" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. "Abnormally Long DNS URI queries" can identify suspicious DNS queries that may be indicative of command and control operations. "DNS - domain anomalous lookup increase", "DNS Full Name anomalous lookup increase", and "DNS lookups for commonly abused TLDs" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.
References
    microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1071.004 DNS
    Comments
    This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.
    References
      azure_policy Azure Policy technique_scores T1071.004 DNS
      Comments
      This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.
      References
        azure_alerts_for_network_layer Azure Alerts for Network Layer technique_scores T1071.004 DNS
        Comments
        This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
        References
          azure_dns_analytics Azure DNS Analytics technique_scores T1071.004 DNS
          Comments
          This control can be used forensically to identify clients that communicated with identified C2 hosts.
          References
            alerts_for_dns Alerts for DNS technique_scores T1071.004 DNS
            Comments
            Can alert on anomalies and misuse of the DNS protocol.
            References
              azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1071.004 DNS
              Comments
              This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
              References