environments that leverage dns responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.

t1210
t1499
network
elastic

Techniques

T1210
T1499

Sample rules

Abnormally Large DNS Response

source: elastic
technicques:
- T1210
- T1499

Description

Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.

Detection logic

(data_stream.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and
  (data_stream.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000