Detects DNS tunneling and data exfiltration in Zeek dns.log via high-entropy subdomains, excessive query volumes, long query lengths, and anomalous record types. For threat hunting C2 channels and anomalous DNS patterns.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 狩猎通过 DNS 隐蔽通道进行的数据外泄时
Detects DNS tunneling and data exfiltration in Zeek dns.log via high-entropy subdomains, excessive query volumes, long lengths, and unusual record types. For threat hunting covert channels.
Detects DNS tunneling and data exfiltration in Zeek dns.log using high-entropy subdomains, excessive query volume, long lengths, unusual record types, and timing patterns. For threat hunting covert channels.
Analyzes Zeek dns.log files to detect DNS data exfiltration via high-entropy subdomains, long labels, unique subdomain counts per domain, and query rate anomalies. For network threat hunting.
Share bugs, ideas, or general feedback.
@load base/protocols/dns
module DNSTunnel;
export {
redef enum Notice::Type += { DNSTunnel::Long_DNS_Query };
const query_length_threshold = 50 &redef;
const query_count_threshold = 100 &redef;
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) {
if ( |query| > query_length_threshold ) {
NOTICE([$note=DNSTunnel::Long_DNS_Query,
$msg=fmt("Long DNS query detected: %s (%d chars)", query, |query|),
$conn=c]);
}
}
index=zeek sourcetype=bro_dns
| rex field=query "(?<subdomain>[^.]+)\.(?<basedomain>[^.]+\.[^.]+)$"
| stats count dc(subdomain) as unique_subs avg(len(query)) as avg_len max(len(query)) as max_len by src basedomain
| where count > 100 AND (unique_subs > 50 OR avg_len > 40)
| sort -unique_subs
index=zeek sourcetype=bro_dns
| rex field=query "^(?<subdomain>[^.]+)"
| where len(subdomain) > 20
| eval char_count=len(subdomain)
| stats count dc(query) as unique_queries avg(char_count) as avg_sub_len by src query_type_name basedomain
| where unique_queries > 30 AND avg_sub_len > 25
| sort -unique_queries
rita import /path/to/zeek/logs dataset_name
rita show-dns-fqdn-ips-long dataset_name
rita show-exploded-dns dataset_name
rita show-dns-tunneling dataset_name --csv > dns_tunnel_results.csv
aGVsbG8gd29ybGQ.exfil.attacker.com),以 A 或 TXT 查询形式发送。每次查询携带约 63 字节数据。狩猎 ID:TH-DNSTUNNEL-[日期]-[序号]
源 IP:[内网 IP]
源主机:[主机名]
目标域名:[基础域名]
查询次数:[时间窗口内的总查询数]
唯一子域名数:[数量]
平均查询长度:[字符数]
最大查询长度:[字符数]
子域名熵值:[比特/字符]
主要记录类型:[A/TXT/CNAME/NULL]
估算数据量:[外泄字节数]
风险等级:[严重/高/中/低]