environments that leverage dns responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.

t1210
t1499
network
elastic

Techniques

T1210
T1499

Sample rules

Abnormally Large DNS Response

source: elastic
technicques:
- T1210
- T1499

Description

Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.

Detection logic

((event.category:(network or network_traffic) and destination.port:53) 
      or network.protocol:"dns" 
      or data_stream.dataset:(network_traffic.dns or zeek.dns))
    and destination.bytes > 60000
    and event.type:("allowed" or "end" or "protocol" or "start")