tcp_dnstunneling
Explanation
This Netography Fusion Portal security event identifies DNS tunneling over TCP, a technique used to bypass traditional security measures by embedding data in DNS queries and responses. This event looks for network traffic that may be indicative of this technique, and generates an alert if detected.
What to Look For
To examine the results of the tcp_dnstunneling event, customers should look for abnormal network traffic patterns, such as large numbers of DNS queries or responses. They should also analyze the payload of these DNS requests and responses for suspicious content that may indicate an attempt at DNS tunneling. On the endpoint side, customers should look for activity from known tools and utilities used for DNS tunneling, and examine processes and network connections for signs of compromise. By analyzing these indicators, customers can identify and remediate any instances of DNS tunneling on their networks.
Related MITRE ATT&CK Categories
Updated 13 days ago