tcp_dnstunneling

Explanation

This Netography Fusion Portal security event identifies DNS tunneling over TCP, a technique used to bypass traditional security measures by embedding data in DNS queries and responses. This event looks for network traffic that may be indicative of this technique, and generates an alert if detected.

What to Look For

To examine the results of the tcp_dnstunneling event, customers should look for abnormal network traffic patterns, such as large numbers of DNS queries or responses. They should also analyze the payload of these DNS requests and responses for suspicious content that may indicate an attempt at DNS tunneling. On the endpoint side, customers should look for activity from known tools and utilities used for DNS tunneling, and examine processes and network connections for signs of compromise. By analyzing these indicators, customers can identify and remediate any instances of DNS tunneling on their networks.

Related MITRE ATT&CK Categories

Protocol Tunneling, Technique T1572 - Enterprise