Skip to content
Threat Feed
medium advisory

Potential DNS Exfiltration via Excessive Chunked Queries

This brief details the technique of DNS exfiltration where threat actors use chunked DNS queries with subdomain labels following an 'index-payload.base_domain' pattern to exfiltrate data from compromised Windows hosts, allowing them to bypass volume-based detection and extract sensitive information.

This brief describes a technique used by threat actors for data exfiltration and command and control, leveraging DNS queries on Windows hosts. Attackers, after compromising a system, encode stolen data into small chunks, embedding each chunk within a subdomain of a DNS query (e.g., 42-base64payload.attacker.example). This method, known as DNS tunneling or chunked DNS exfiltration, is designed to bypass traditional network security controls that monitor volume or content, as the data is transmitted incrementally over a legitimate protocol. The technique can be employed by various threat groups or malware to discreetly transfer sensitive information out of an organization's network or to establish covert communication channels. The detection rule described aims to identify sessions with a high volume of distinct chunk indices and sufficiently long encoded payloads from a single process to a specific base domain within a short timeframe, indicating potential malicious activity rather than normal DNS resolution.

Attack Chain

  1. Initial Compromise: An attacker gains unauthorized access to a Windows host within the target network through various initial access techniques (e.g., phishing, exploiting a vulnerable service).
  2. Data Identification: The attacker identifies sensitive data on the compromised host slated for exfiltration.
  3. Data Encoding and Chunking: The identified data is encoded (e.g., Base64 or hexadecimal) and then split into numerous smaller chunks to prepare for discreet transmission.
  4. DNS Query Generation: A malicious process (e.g., an LOLBin, custom script, or malware) on the compromised host constructs DNS queries where each data chunk is embedded as a unique subdomain, often prefixed with a sequential index (e.g., 1-chunkA.malicious.com, 2-chunkB.malicious.com).
  5. DNS Resolution Attempt: The compromised host attempts to resolve these specially crafted DNS queries, sending them to the configured DNS resolver.
  6. Outbound Connection & Data Transfer: The DNS queries containing the encoded data are forwarded to the attacker-controlled authoritative DNS server for the specified base domain (malicious.com).
  7. Data Reconstruction: The attacker's DNS server logs the incoming queries, extracts the indexed data chunks, and reconstructs the original stolen data.
  8. Exfiltration Complete: The sensitive data is successfully exfiltrated from the target environment, often without triggering traditional egress filtering designed for common protocols or file transfers.

Impact

Successful DNS exfiltration can lead to severe data breaches, resulting in the loss of sensitive intellectual property, customer data, financial records, or other confidential information. This can cause significant financial penalties, reputational damage, and regulatory non-compliance for affected organizations. The stealthy nature of this technique means that exfiltration can occur undetected for extended periods, allowing attackers to harvest vast quantities of data. If the technique is used for command and control, it can provide attackers with persistent, covert access to compromised systems, enabling further malicious activities like deploying additional malware, lateral movement, or ransomware deployment, potentially leading to widespread system disruption and operational paralysis.

Recommendation

  • Enable Sysmon Event ID 22 (DNS Query) logging on all Windows hosts to provide the necessary telemetry for detecting chunked DNS exfiltration.
  • Deploy the Potential DNS Exfiltration via Chunked DNS Queries Sigma rule to your SIEM/EDR and tune it for your specific environment, prioritizing alerts from uncommon processes.
  • Implement and configure Elastic Defend or CrowdStrike endpoint protection solutions to gather comprehensive network and process telemetry as described in the brief.
  • If an alert fires, investigate the Esql.base_domain and block it at your DNS resolvers and egress firewalls to prevent further exfiltration and C2 communications.
  • Review network logs for processes making unusual DNS queries, especially those resolving to newly observed or unsanctioned domains.

Detection coverage 1

Potential DNS Exfiltration via Chunked DNS Queries

medium

Detects suspicious DNS queries from non-system processes where subdomain labels follow a 'index-payload.base_domain' pattern, indicating potential DNS exfiltration or tunneling.

sigma tactics: command_and_control, exfiltration techniques: T1048, T1048.003, T1572 sources: dns_query, windows

Detection queries are available on the platform. Get full rules →