false positives may be present if dns txt record contents are similar to benign dns txt record contents.

Techniques

T1568.002

Sample rules

Detect suspicious DNS TXT records using pretrained model in DSDL

source: splunk
technicques:
- T1568.002

Description

The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type 
| `drop_dm_object_name("DNS")` 
| rename answer as text 
| fields firstTime, lastTime, message_type,record_type,src,dest, text 
| apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl 
| rename predicted_is_unknown as is_suspicious_score 
| where is_suspicious_score > 0.5 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score 
| `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`