detection.wiki

ATT&CK coverage › Technique

Application Layer Protocol: DNS T1071.004

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon22DNSEvent (DNS query)
Security-Auditing4662An operation was performed on an object.
Security-Auditing4688A new process has been created.
Security-Auditing5136A directory service object was modified.
Security-Auditing5137A directory service object was created.
DNS-Client3008DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 14 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (16 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID5eq 522, "4662", "5136", "5137", 5137
QueryName4match 3, starts_with 2, in 1.stage.123456., aaa.stage., post.1, lihi.cc, reurl.cc
Image3ends_with 3, match 1\finger.exe, \dnscat2, \iodine.exe
process_name2ne 1, eq 1"telegram.exe", "vbc.exe"
ObjectClass2eq 2"dnsNode"
Initiated1eq 1true
ScriptBlockText1match 1$cmdargs, [Convert]::ToString($SYNOptions, 16), $Session.Dead = $True
dns.question.name1eq 1"*YBAAAA*", "*1UWhRC*", "*AAAAA*"
isAllowed1ne 1true
CommandLine1eq 1"*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
query1eq 1"api.telegram.org"
AdditionalInfo1eq 1"*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
ObjectDN1eq 1"*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
time_diff1le 1300
AttributeValue1eq 1"TRUE"

Top indicator values (54 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq22315
Imageends_with\finger.exe29
QueryNamematch.stage.123456.22
QueryNamestarts_withpost.122
QueryNamestarts_withaaa.stage.22
ObjectClasseq"dnsNode"22
Imagematch\dnscat21
Imageends_with\iodine.exe1
QueryNamematchreurl.cc1
QueryNamematchmsapp.workers.dev1
QueryNamematchlihi.cc1
QueryNamematchinfinityfreeapp.com1
QueryNamematchtinyurl.com1
QueryNamematchtrycloudflare.com1
QueryNamematchmy5353.com1
Initiatedeqtrue140
ScriptBlockTextmatch$Session["Driver"] -eq1
ScriptBlockTextmatchNew-RandomDNSField1
ScriptBlockTextmatch$Session.Dead = $True1
ScriptBlockTextmatchClose-Dnscat2Tunnel1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 7 rules

Splunk 7 rules