it's possible that legitimate txt record responses can be long enough to trigger this search. you can modify the packet threshold for this search to help mitigate false positives.

Techniques

T1048.003

Sample rules

Detect Long DNS TXT Record Response

source: splunk
technicques:
- T1048.003

Description

This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type 
|  `drop_dm_object_name("DNS")` 
| eval anslen=len(answer) 
| search anslen>100 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count 
| table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type"  "Answer Length" Count "First Time" "Last Time" 
| `detect_long_dns_txt_record_response_filter`