Techniques
Sample rules
Detect DNS Data Exfiltration using pretrained model in DSDL
- source: splunk
- technicques:
- T1048.003
Description
The following analytic uses a pre trained deep learning model to detect DNS data exfiltration. The model is trained on the data we collected and is inferred on live data. This detection detects low throughput DNS Tunneling (data exfiltration) using features computed from past events between the same src and domain. The search uses macros from URL ToolBox app to generate features used by the model. The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration. The threshold for flagging a request as DNS exfiltration is set at 0.5.
Detection logic
| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query
| `drop_dm_object_name("DNS")`
| sort - _time,src, query
| streamstats count as rank by src query
| where rank < 10
| table src,query,rank,_time
| apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl
| table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration
| where rank == 1
| rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score
| rename pred_is_dns_data_exfiltration as is_exfiltration
| where is_exfiltration_score > 0.5
| `security_content_ctime(_time)`
| table src, _time,query,is_exfiltration_score,is_exfiltration
| `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`