heroui logo

Potential DNS Exfiltration via Excessive Chunked Queries

Elastic Detection Rules

View Source
Summary
Detects potential DNS exfiltration on Windows endpoints by spotting high volumes of DNS queries whose subdomain labels follow a chunked encoding pattern (index-payload.base_domain). The rule aggregates DNS queries per process, base domain, and a five-minute window to identify sessions with many distinct chunk indices and sufficiently long encoded payloads. It computes: total occurrences, unique chunk indices, maximum chunk index, and average payload length, grouping by process, base domain, user/host context, and time window. Alerts fire when there are at least 30 occurrences and 30 unique chunks with an average payload length of at least 20 characters. The query relies on data from CrowdStrike, Elastic Defend, and Windows Sysmon DNS queries, extracting chunk_index and chunk_payload from dns.question.name, validating that the process is not svchost.exe, and correlating with host metadata. The detection is mapped to MITRE ATT&CK techniques Exfiltration (T1048, including T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol) and Protocol Tunneling (T1572), under the Exfiltration and C2 tactics. Investigations focus on the involved process, recent DNS/ network activity, and the observed base domain’s legitimacy, with recommended triage steps including isolating the host, blocking the base domain, cross-host hunting, and credential review if exfiltration is confirmed. False positives may arise from legitimate telemetry encoding or synthetic testing tools, so validation against known vendor behavior is advised. The rule is intended for Windows endpoints and leverages cross-sourced data (Elastic Defend, CrowdStrike, Sysmon) to provide context-rich alerts for potential DNS-based data exfiltration.
Categories
  • Endpoint
  • Windows
  • Network
Data Sources
  • Process
  • Network Traffic
ATT&CK Techniques
  • T1048
  • T1572
  • T1048.003
Created: 2026-07-03