Detects high-frequency or anomalous DNS queries initiated by non-browser, non-system processes (e.g., PowerShell, rundll32, python.exe) used to establish command and control via DNS tunneling.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=22 |
| Network Traffic Content (DC0085) | NSM:Flow | dns.log |
| Field | Description |
|---|---|
| QueryLengthThreshold | Subdomain length for detecting base32/base64-encoded payloads |
| ProcessImageFilter | Flag non-standard executables making DNS queries |
| TimeWindow | Rate of queries in short interval per process |
Detects local daemons or scripts generating outbound DNS queries with long or frequent subdomains, indicative of DNS tunneling via tools like iodine, dnscat2, or dig from cronjobs or reverse shells.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Content (DC0085) | NSM:Flow | dns.log |
| Field | Description |
|---|---|
| SubdomainEntropyScore | Detects encoded payloads or randomness in DNS labels |
| DaemonAllowList | Allowlisted system daemons expected to perform frequent lookups |
Detects scripting environments (AppleScript, osascript, curl) or non-native tools performing DNS queries with encoded subdomains, often used for data exfiltration or beaconing.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | macos:unifiedlog | log stream 'eventMessage contains "dns_request"' |
| Field | Description |
|---|---|
| EntropyThreshold | Tunable threshold for randomness in subdomain labels |
| UncommonProcessContext | Filters on user-launched or cron-based queries |
Detects clients issuing DNS queries with high volume, long subdomain lengths, encoded payload patterns, or to known malicious infrastructure; indicative of DNS-based C2 channels.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | dns.log |
| Field | Description |
|---|---|
| DomainReputationFeed | List of suspicious/malicious C2 domains |
| QueryRatePerClient | Tunable burst rate per IP per second |
Detects unusual outbound DNS traffic from ESXi hosts, often from shell scripts, custom daemons, or malicious VIBs interacting with external DNS infrastructure outside the management plane.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:syslog | /var/log/syslog.log |
| Network Traffic Content (DC0085) | NSM:FLow | dns.log |
| Field | Description |
|---|---|
| OutboundDNSVolume | Threshold for data volume and frequency from ESXi IPs |
| KnownGoodVIBs | Baseline known packages for allowlist comparison |