{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dns-tunneling/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["dns-tunneling","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers can abuse DNS protocol for command and control and/or data exfiltration by exploiting network rules that allow DNS communication with external resources. This technique, known as DNS tunneling, involves encoding data within DNS queries to transmit commands, malicious files, or exfiltrate sensitive information to attacker-controlled DNS servers. Detection focuses on identifying anomalous patterns of nslookup.exe usage, specifically a high volume of executions with explicit query types originating from a single host within a short timeframe. This activity may bypass traditional security controls that monitor standard network traffic, enabling covert communication channels.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enslookup.exe\u003c/code\u003e to perform DNS queries with specific query types (e.g., \u003ccode\u003e-querytype=TXT\u003c/code\u003e, \u003ccode\u003e-qt=A\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker encodes data (commands, files, or exfiltrated data) into the DNS query.\u003c/li\u003e\n\u003cli\u003eThe compromised host sends multiple DNS requests to a rogue DNS server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the DNS queries and decodes the data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the tunneled command to further compromise the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates data to the attacker-controlled server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DNS tunneling allows attackers to establish covert communication channels, bypassing traditional security measures. This can lead to command and control of compromised systems, exfiltration of sensitive data, and further propagation within the network. The impact includes potential data breaches, system compromise, and prolonged attacker presence due to the difficulty in detecting covert DNS traffic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Nslookup DNS Tunneling Activity\u0026rdquo; to your SIEM to detect potential DNS tunneling attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture \u003ccode\u003enslookup.exe\u003c/code\u003e executions and their command-line arguments.\u003c/li\u003e\n\u003cli\u003eInspect network traffic logs for unusually high volumes of DNS queries originating from individual hosts.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for encoded or unusual data patterns within DNS query names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-dns-tunneling-nslookup/","summary":"Detection of multiple nslookup.exe executions with explicit query types from a single host, potentially indicating command and control activity via DNS tunneling, where attackers abuse DNS for data infiltration or exfiltration.","title":"Potential DNS Tunneling via NsLookup","url":"https://feed.craftedsignal.io/briefs/2024-01-dns-tunneling-nslookup/"}],"language":"en","title":"CraftedSignal Threat Feed — Dns-Tunneling","version":"https://jsonfeed.org/version/1.1"}