environments that leverage dns responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.

t1210
network
elastic

Techniques

T1210

Sample rules

Abnormally Large DNS Response

source: elastic
technicques:
- T1210

Description

Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.

Detection logic

(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and
  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000