EXPLORE
← Back to Explore
elasticmediumTTP

Potential DNS Exfiltration via Excessive Chunked Queries

Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags sessions with many distinct chunk indices and sufficiently long encoded payloads.

MITRE ATT&CK

exfiltrationcommand-and-control

Detection Query

FROM logs-crowdstrike.fdr*, logs-endpoint.events.network-*, logs-windows.sysmon_operational-*
| WHERE host.os.type == "windows"
    AND event.category == "network"
    AND event.action IN ("lookup_requested", "DNSEvent (DNS query)", "DnsRequest")
    AND process.name != "svchost.exe"
    AND dns.question.name RLIKE """[0-9]{1,5}-[A-Za-z0-9+/=]{15,63}\..+"""
| GROK dns.question.name "%{INT:chunk_index}-%{DATA:chunk_payload}\\.%{GREEDYDATA:Esql.base_domain}"
| WHERE chunk_index IS NOT NULL
| EVAL payload_len = LENGTH(chunk_payload)
| STATS
    Esql.occurrences = COUNT(*),
    Esql.unique_chunks = COUNT_DISTINCT(chunk_index),
    Esql.max_index = MAX(TO_INTEGER(chunk_index)),
    Esql.avg_payload_len = AVG(payload_len)
  BY process.name, Esql.base_domain, user.id, user.name, host.id, host.name, data_stream.namespace, DATE_TRUNC(5 minutes, @timestamp)
| WHERE Esql.occurrences >= 30
    AND Esql.unique_chunks >= 30
    AND Esql.avg_payload_len >= 20
| SORT Esql.unique_chunks DESC
| LIMIT 20
| KEEP host.id, host.name, process.name, user.id, user.name, data_stream.namespace, Esql.*

Author

Elastic

Created

2026/07/03

Data Sources

Elastic DefendCrowdstrikeSysmon

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: ExfiltrationResources: Investigation GuideData Source: Elastic DefendData Source: CrowdstrikeData Source: Sysmon
Raw Content
[metadata]
creation_date = "2026/07/03"
integration = ["endpoint", "windows", "crowdstrike"]
maturity = "production"
updated_date = "2026/07/03"

[rule]
author = ["Elastic"]
description = """
Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels
follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to
evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags
sessions with many distinct chunk indices and sufficiently long encoded payloads.
"""
from = "now-9m"
interval = "5m"
language = "esql"
license = "Elastic License v2"
name = "Potential DNS Exfiltration via Excessive Chunked Queries"
note = """## Triage and analysis

### Investigating Potential DNS Exfiltration via Excessive Chunked Queries

DNS tunneling and exfiltration often encode data in subdomain labels using a chunk index prefix (for example,
`42-<base64-or-hex-payload>.attacker.example`). A large number of distinct chunk indices to the same base domain from
one process within a short window strongly suggests staged data transfer rather than normal resolution behavior.

### Possible investigation steps

- Review **Esql.base_domain**, **Esql.unique_chunks**, and **Esql.max_index** on the alert to gauge exfil volume and
  whether chunk indices form a contiguous or near-contiguous sequence.
- Identify **process.name** and **process.executable** (from related network events on the same host) and inspect the
  process tree for scripting runtimes, LOLBins, or unsigned binaries.
- Pivot on **host.id** for other DNS, network, or exfiltration alerts in the past 48 hours.
- Inspect sample **dns.question.name** values for the session to confirm encoded payload subdomains and estimate data
  volume (**Esql.avg_payload_len** × **Esql.unique_chunks**).
- Check whether the base domain is newly observed, lacks business justification, or resolves to infrastructure outside
  approved DNS allowlists.

### False positive analysis

- Legitimate software that encodes telemetry or session tokens in DNS labels is rare; validate against known vendor
  behavior before closing.
- Security scanners or research tools that generate synthetic chunked DNS labels may match; confirm process identity and
  organizational ownership.

### Response and remediation

- If confirmed malicious: isolate the host, block the **Esql.base_domain** at DNS and egress controls, and preserve
  DNS/network logs for scoping.
- Hunt for the same **Esql.base_domain** and process hash across other hosts and users.
- Reset credentials and review data accessible to the involved user or process if exfiltration is confirmed.
"""

setup = """## Setup

This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

### Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

- [CrowdStrike](https://ela.st/crowdstrike-integration)
- [Sysmon Event ID 22 - DNS Query](https://ela.st/sysmon-event-22-setup)
"""

references = [
    "https://attack.mitre.org/techniques/T1048/003/",
    "https://attack.mitre.org/techniques/T1572/",
    "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/",
]
risk_score = 47
rule_id = "882a39ad-a404-45e3-b5d4-bc11d2b09818"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Exfiltration",
    "Resources: Investigation Guide",
    "Data Source: Elastic Defend",
    "Data Source: Crowdstrike",
    "Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
FROM logs-crowdstrike.fdr*, logs-endpoint.events.network-*, logs-windows.sysmon_operational-*
| WHERE host.os.type == "windows"
    AND event.category == "network"
    AND event.action IN ("lookup_requested", "DNSEvent (DNS query)", "DnsRequest")
    AND process.name != "svchost.exe"
    AND dns.question.name RLIKE """[0-9]{1,5}-[A-Za-z0-9+/=]{15,63}\..+"""
| GROK dns.question.name "%{INT:chunk_index}-%{DATA:chunk_payload}\\.%{GREEDYDATA:Esql.base_domain}"
| WHERE chunk_index IS NOT NULL
| EVAL payload_len = LENGTH(chunk_payload)
| STATS
    Esql.occurrences = COUNT(*),
    Esql.unique_chunks = COUNT_DISTINCT(chunk_index),
    Esql.max_index = MAX(TO_INTEGER(chunk_index)),
    Esql.avg_payload_len = AVG(payload_len)
  BY process.name, Esql.base_domain, user.id, user.name, host.id, host.name, data_stream.namespace, DATE_TRUNC(5 minutes, @timestamp)
| WHERE Esql.occurrences >= 30
    AND Esql.unique_chunks >= 30
    AND Esql.avg_payload_len >= 20
| SORT Esql.unique_chunks DESC
| LIMIT 20
| KEEP host.id, host.name, process.name, user.id, user.name, data_stream.namespace, Esql.*
'''

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "host.id",
    "host.name",
    "user.id",
    "user.name",
    "process.name",
    "dns.question.name",
]

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1048"
name = "Exfiltration Over Alternative Protocol"
reference = "https://attack.mitre.org/techniques/T1048/"

[[rule.threat.technique.subtechnique]]
id = "T1048.003"
name = "Exfiltration Over Unencrypted Non-C2 Protocol"
reference = "https://attack.mitre.org/techniques/T1048/003/"

[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"