EXPLORE

← Back to Explore

T1071.004

DNS

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication...

LinuxmacOSWindowsNetwork DevicesESXi

31

Detections

4

Sources

11

Threat Actors

BY SOURCE

12elastic10sigma8splunk_escu1crowdstrike_cql

PROCEDURES (23)

Beacon3 detections

Auto-extracted: 3 detections for beacon

Cloud Monitoring2 detections

Auto-extracted: 2 detections for cloud monitoring

Bypass2 detections

Auto-extracted: 2 detections for bypass

Service2 detections

Auto-extracted: 2 detections for service

Command And Control2 detections

Auto-extracted: 2 detections for command and control

C22 detections

Auto-extracted: 2 detections for c2

Email2 detections

Auto-extracted: 2 detections for email

Persist1 detections

Auto-extracted: 1 detections for persist

Credential1 detections

Auto-extracted: 1 detections for credential

Phish1 detections

Auto-extracted: 1 detections for phish

Credential1 detections

Auto-extracted: 1 detections for credential

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

C21 detections

Auto-extracted: 1 detections for c2

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Download1 detections

Auto-extracted: 1 detections for download

Remote1 detections

Auto-extracted: 1 detections for remote

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

THREAT ACTORS (11)

APT18 APT39 APT41 Chimera Cobalt Group Ember Bear FIN7 Ke3chang LazyScripter OilRig Tropic Trooper

DETECTIONS (31)

Cobalt Strike DNS Beaconing

DNS Exfiltration and Tunneling Tools Execution

DNS Kerberos Coercion

DNS Query by Finger Utility

DNS Query To Common Malware Hosting and Shortener Services

DNS Staging Detection: ClickFix-Inspired nslookup Execution

crowdstrike_cql

DNS TXT Answer with Possible Execution Strings

Excessive DNS Failures

GenAI Process Connection to Suspicious Top Level Domain

Machine Learning Detected a DNS Request Predicted to be a DGA Domain

Machine Learning Detected a DNS Request With a High DGA Probability Score

Machine Learning Detected DGA activity using a known SUNBURST DNS domain

Network Activity to a Suspicious Top Level Domain

Network Connection Initiated via Finger.EXE

Potential Command and Control via Internet Explorer

Potential DGA Activity

Potential DNS Tunneling via NsLookup

Silence.EDA Detection

Suspicious Cobalt Strike DNS Beaconing - DNS Client

Suspicious Cobalt Strike DNS Beaconing - Sysmon

Suspicious DNS Query with B64 Encoded String

System Public IP Discovery via DNS Query

Unusual DNS Activity

Unusual Network Destination Domain Name

Windows AI Platform DNS Query

Windows Credential Target Information Structure in Commandline

Windows DNS Query Request by Telegram Bot API

Windows Kerberos Coercion via DNS

Windows Short Lived DNS Record

Windows Visual Basic Commandline Compiler DNSQuery