analyzing-dns-logs-for-exfiltration

Featured

Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass traditional network security controls.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing DNS Logs for Exfiltration ## When to Use Use this skill when: - SOC teams suspect data exfiltration through DNS tunneling to bypass firewall/proxy controls - Threat intelligence indicates adversaries using DNS-based C2 channels (e.g., Cobalt Strike DNS beacon) - UEBA detects anomalous DNS query volumes from specific hosts - Malware analysis reveals DNS-over-HTTPS (DoH) or DNS tunneling capabilities **Do not use** for standard DNS troubleshooting or availability monitoring — this skill focuses on security-relevant DNS abuse detection. ## Prerequisites - DNS query logging enabled (Windows DNS Server, Bind, Infoblox, or Cisco Umbrella) - DNS logs ingested into SIEM (Splunk with `Stream:DNS`, `dns` sourcetype, or Zeek DNS logs) - Passive DNS data for historical domain resolution analysis - Baseline of normal DNS behavior (query volume, domain distribution, TXT record frequency) - Python with `math` and `collections` libraries for entropy calculation ## Workflow ### Step 1: Detect DNS Tunneling via Subdomain Length Analysis DNS tunneling encodes data in subdomain labels, creating unusually long queries: ```spl index=dns sourcetype="stream:dns" query_type IN ("A", "AAAA", "TXT", "CNAME", "MX") | eval domain_parts = split(query, ".") | eval subdomain = mvindex(domain_parts, 0, mvcount(domain_parts)-3) | eval subdomain_str = mvjoin(subdomain, ".") | eval subdomain_len = len(subdomain_str) | eval tld = mvindex(domain_parts, -1) | eval registered_domain = mvindex(d...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-dns-exfiltration-with-dns-query-analysis

Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT record abuse, and response payload sizes using passive DNS monitoring.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-exfiltration-over-dns-with-zeek

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-dns-tunneling-with-zeek

Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive query volume, long query lengths, and unusual DNS record types indicating covert channel communication.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-command-and-control-over-dns

Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools (Iodine, dnscat2, dns2tcp, Cobalt Strike DNS beacon), domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME records, and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, statistical anomaly detection, ML-based DGA classification, passive DNS correlation, and Zeek/Suricata signature development. Activates for requests involving DNS-based C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or DGA domain classification.

12,642 Updated today
mukul975
AI & Automation Solid

performing-dns-tunneling-detection

Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing query length distributions, inspecting TXT record payloads, and identifying high subdomain cardinality. Uses scapy for packet capture analysis and statistical methods to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration.

12,642 Updated today
mukul975