T1071.004: DNS
| View on MITRE ATT&CK | T1071.004 |
|---|---|
| Tactic(s) | Command and Control |
Data from MITRE ATT&CK®:
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Suspicious DNS Query with B64 Encoded String
Silence.EDA Detection
Suspicious Cobalt Strike DNS Beaconing - DNS Client
DNS TXT Answer with Possible Execution Strings
Suspicious Cobalt Strike DNS Beaconing - Sysmon
OilRig APT Registry Persistence
DNS Exfiltration and Tunneling Tools Execution
Cobalt Strike DNS Beaconing
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.