detecting-command-and-control-over-dns

Featured

Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools (Iodine, dnscat2, dns2tcp, Cobalt Strike DNS beacon), domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME records, and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, statistical anomaly detection, ML-based DGA classification, passive DNS correlation, and Zeek/Suricata signature development. Activates for requests involving DNS-based C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or DGA domain classification.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Command and Control Over DNS ## When to Use - Investigating suspected DNS tunneling used for C2 communication or data exfiltration - Analyzing DNS query logs for signs of encoded payloads in subdomain strings - Classifying domains as DGA-generated vs. legitimate using statistical or ML methods - Detecting DNS beaconing patterns (regular intervals, consistent query sizes) - Hunting for Iodine, dnscat2, dns2tcp, Cobalt Strike DNS, or Sliver DNS traffic - Monitoring TXT record abuse for command delivery or staged payload download - Building DNS anomaly detection rules for SOC/SIEM deployment **Do not use** for general DNS performance monitoring or DNS configuration auditing; use DNS health monitoring tools for those. For HTTP/HTTPS-based C2 detection, use network traffic analysis skills focused on web protocols. **DISCLAIMER**: DNS tunneling tools referenced in this skill (Iodine, dnscat2, dns2tcp) are dual-use. They have legitimate uses (bypassing captive portals, security research) and malicious uses (C2 channels, exfiltration). Only deploy detection in networks you are authorized to monitor. Testing tunneling tools requires explicit authorization. ## Prerequisites - DNS query logs from recursive resolver, Zeek/Bro, Suricata, or passive DNS tap - Python 3.9+ with `numpy`, `scikit-learn`, `pandas`, `tldextract`, and `dnspython` - Zeek (formerly Bro) with dns.log output or Suricata with DNS EVE JSON logging - SIEM access (Splunk, Elastic, Microsoft Sentinel) fo...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-dns-exfiltration-with-dns-query-analysis

Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT record abuse, and response payload sizes using passive DNS monitoring.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-dns-logs-for-exfiltration

Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass traditional network security controls.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-exfiltration-over-dns-with-zeek

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-network-covert-channels-in-malware

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-dns-tunneling-with-zeek

Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive query volume, long query lengths, and unusual DNS record types indicating covert channel communication.

12,642 Updated today
mukul975