Splunk - Hunting for threats in DNS
Understanding DNS exfiltration When we talk about DNS exfiltration, we are talking about an attacker using the DNS protocol to tunnel (exfiltrate) data from the target to their own host. You could hypothesize that the adversary might use DNS to either: Move sensitive files out of your organisation. Use it as a side channel for communications with malicious infrastructure. With the right visualizations and search techniques, you may be able to spot clients behaving abnormally when compared either to themselves or their peers! Hunting for threats in DNS In the section below, there are showed some ways to detect weirdness with DNS based on the techniques highlighted above. NOTE: Adjust the sourcetypes/tags/eventtypes to suit your environment. Top 10 Clients by Volume of Requests Capturing spikes or changes in client volumes may show early signs of data exfiltration. tag=dns message_type="Query" | timechart span=1h limit=10 usenull=f useother=f count AS Requests