EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Excessive Usage of NSLOOKUP App

The following analytic detects excessive usage of the nslookup application, which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode 1 to monitor process executions, specifically focusing on nslookup.exe. The detection identifies outliers by comparing the frequency of nslookup executions against a calculated threshold. This activity is significant as it can reveal attempts by malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, this behavior could allow attackers to stealthily transfer sensitive information out of the network, bypassing traditional data exfiltration defenses.

MITRE ATT&CK

T1048

Detection Query

| tstats `security_content_summariesonly` count as numNsLookup min(_time) as firstTime max(_time) as lastTime values(Processes.action) as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_path) as process_path values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product values(Processes.parent_process) as parent_process values(Processes.process_name) as process_name values(Processes.parent_process_id) as parent_process_id values(Processes.user) as user FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name = "nslookup.exe"
  BY Processes.dest _time span=1m
| `drop_dm_object_name(Processes)`
| eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots
  BY dest
| eval upperThreshold=(avgNsLookup + stdNsLookup *3)
| eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0)
| search isOutlier=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_usage_of_nslookup_app_filter`

Author

Teoderick Contreras, Stanislav Miskovic, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 1Windows Event Log Security 4688CrowdStrike ProcessRollup2

References

Tags

Suspicious DNS TrafficDynamic DNSData ExfiltrationCommand And Control
Raw Content
name: Excessive Usage of NSLOOKUP App
id: 0a69fdaa-a2b8-11eb-b16d-acde48001122
version: 10
date: '2026-03-10'
author: Teoderick Contreras, Stanislav Miskovic, Splunk
status: production
type: Anomaly
description: The following analytic detects excessive usage of the nslookup application, which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode 1 to monitor process executions, specifically focusing on nslookup.exe. The detection identifies outliers by comparing the frequency of nslookup executions against a calculated threshold. This activity is significant as it can reveal attempts by malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, this behavior could allow attackers to stealthily transfer sensitive information out of the network, bypassing traditional data exfiltration defenses.
data_source:
    - Sysmon EventID 1
    - Windows Event Log Security 4688
    - CrowdStrike ProcessRollup2
search: |-
    | tstats `security_content_summariesonly` count as numNsLookup min(_time) as firstTime max(_time) as lastTime values(Processes.action) as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_path) as process_path values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product values(Processes.parent_process) as parent_process values(Processes.process_name) as process_name values(Processes.parent_process_id) as parent_process_id values(Processes.user) as user FROM datamodel=Endpoint.Processes
      WHERE Processes.process_name = "nslookup.exe"
      BY Processes.dest _time span=1m
    | `drop_dm_object_name(Processes)`
    | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots
      BY dest
    | eval upperThreshold=(avgNsLookup + stdNsLookup *3)
    | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0)
    | search isOutlier=1
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `excessive_usage_of_nslookup_app_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings
    - https://www.varonis.com/blog/dns-tunneling
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Suspicious DNS Traffic
        - Dynamic DNS
        - Data Exfiltration
        - Command And Control
    asset_type: Endpoint
    mitre_attack_id:
        - T1048
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog