Detection rules › Panther
DNS Base64 Encoded Query
Detects DNS queries with Base64 encoded subdomains, which could indicate an attempt to obfuscate data exfil.
Rule body yaml
AnalysisType: rule
DisplayName: "DNS Base64 Encoded Query"
Description: Detects DNS queries with Base64 encoded subdomains, which could indicate an attempt to obfuscate data exfil.
RuleID: "Standard.DNSBase64"
Enabled: false
Filename: standard_dns_base64.py
Reference: https://zofixer.com/what-is-base64-disclosure-vulnerability/
Severity: Medium
DedupPeriodMinutes: 60
Threshold: 1
LogTypes:
- Crowdstrike.FDREvent
- AWS.VPCDns
- CiscoUmbrella.DNS
Tests:
- Name: AWS VPC DNS (Positive)
ExpectedResult: true
Log:
{
"account_id": "123456789012",
"answers": [{ "Class": "IN", "Rdata": "172.31.46.187", "Type": "A" }],
"p_log_type": "AWS.VPCDns",
"query_class": "IN",
"query_name": "c29tZSBsb25nIGJhc2U2NCBzdHJpbmc=.file1.16s.us",
"query_timestamp": "2023-04-11 01:29:20",
"query_type": "A",
"rcode": "NOERROR",
"region": "us-west-2",
"srcaddr": "172.31.46.187",
"srcids": { "instance": "i-09d9aa4e31675db61" },
"srcport": "36899",
"transport": "UDP",
"version": "1.100000",
"vpc_id": "vpc-c26c48ba",
}
- Name: AWS VPS DNS (Negative)
ExpectedResult: false
Log:
{
"account_id": "123456789012",
"answers": [{ "Class": "IN", "Rdata": "172.31.46.187", "Type": "A" }],
"p_log_type": "AWS.VPCDns",
"query_class": "IN",
"query_name": "test.com",
"query_timestamp": "2023-04-11 01:29:20",
"query_type": "A",
"rcode": "NOERROR",
"region": "us-west-2",
"srcaddr": "172.31.46.187",
"srcids": { "instance": "i-09d9aa4e31675db61" },
"srcport": "36899",
"transport": "UDP",
"version": "1.100000",
"vpc_id": "vpc-c26c48ba",
}
- Name: AWS VPS DNS subdomain (Negative)
ExpectedResult: false
Log:
{
"account_id": "123456789012",
"answers": [{ "Class": "IN", "Rdata": "172.31.46.187", "Type": "A" }],
"p_log_type": "AWS.VPCDns",
"query_class": "IN",
"query_name": "=.test.com",
"query_timestamp": "2023-04-11 01:29:20",
"query_type": "A",
"rcode": "NOERROR",
"region": "us-west-2",
"srcaddr": "172.31.46.187",
"srcids": { "instance": "i-09d9aa4e31675db61" },
"srcport": "36899",
"transport": "UDP",
"version": "1.100000",
"vpc_id": "vpc-c26c48ba",
}
- Name: Crowdstrike DNS Request (Positive)
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "1331552299",
"ContextProcessId": "21866918",
"ContextThreadId": "43270698197",
"ContextTimeStamp": "2023-04-23 18:50:03.172",
"Entitlements": "15",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "1331552299",
"ContextProcessId": "21866918",
"ContextThreadId": "43270698197",
"ContextTimeStamp": "1682275803.172",
"DnsRequestCount": "1",
"DomainName": "VGhpcyBpcyBhIHN1c3BpY2lvdXMgZGF0YSBleGZpbHRyYXRpb24gY2h1bms=.example.com.",
"DualRequest": "0",
"EffectiveTransmissionClass": "3",
"Entitlements": "15",
"EventOrigin": "1",
"InterfaceIndex": "0",
"QueryStatus": "9003",
"RequestType": "1",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "DnsRequest",
"id": "4f006a14-0fdf-474e-bfca-021a00a935ad",
"name": "DnsRequestV4",
"timestamp": "1682275805712",
},
"event_platform": "Win",
"event_simpleName": "DnsRequest",
"fdr_event_type": "DnsRequest",
"id": "4f006a14-0fdf-474e-bfca-021a00a935ad",
"name": "DnsRequestV4",
"p_any_domain_names": ["win8.ipv6.microsoft.com"],
"p_any_ip_addresses": ["1.1.1.1"],
"p_any_md5_hashes":
["877761efa8db44d792ddc2redacted", "cfe698690964434083fecdredacted"],
"p_any_trace_ids":
["877761efa8db44d792ddc2redacted", "cfe698690964434083fecdredacted"],
"p_event_time": "2023-04-23 18:50:03.172",
"p_log_type": "Crowdstrike.FDREvent",
"p_parse_time": "2023-04-23 19:00:53.11",
"p_row_id": "f2c89ec8f09cbc8ca2c1cbdf171a",
"p_schema_version": 0,
"p_source_id": "1f33f64c-124d-413c-a9e3-d51ccedd8e77",
"p_source_label": "Crowdstrike-FDR-Dev",
"timestamp": "2023-04-23 18:50:05.712",
}
- Name: Crowdstrike DNS Request (Negative)
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "1331552299",
"ContextProcessId": "21866918",
"ContextThreadId": "43270698197",
"ContextTimeStamp": "2023-04-23 18:50:03.172",
"Entitlements": "15",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "1331552299",
"ContextProcessId": "21866918",
"ContextThreadId": "43270698197",
"ContextTimeStamp": "1682275803.172",
"DnsRequestCount": "1",
"DomainName": "win8.ipv6.microsoft.com.",
"DualRequest": "0",
"EffectiveTransmissionClass": "3",
"Entitlements": "15",
"EventOrigin": "1",
"InterfaceIndex": "0",
"QueryStatus": "9003",
"RequestType": "1",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "DnsRequest",
"id": "4f006a14-0fdf-474e-bfca-021a00a935ad",
"name": "DnsRequestV4",
"timestamp": "1682275805712",
},
"event_platform": "Win",
"event_simpleName": "DnsRequest",
"fdr_event_type": "DnsRequest",
"id": "4f006a14-0fdf-474e-bfca-021a00a935ad",
"name": "DnsRequestV4",
"p_any_domain_names": ["win8.ipv6.microsoft.com"],
"p_any_ip_addresses": ["1.1.1.1"],
"p_any_md5_hashes":
["877761efa8db44d792ddc2redacted", "cfe698690964434083fecdredacted"],
"p_any_trace_ids":
["877761efa8db44d792ddc2redacted", "cfe698690964434083fecdredacted"],
"p_event_time": "2023-04-23 18:50:03.172",
"p_log_type": "Crowdstrike.FDREvent",
"p_parse_time": "2023-04-23 19:00:53.11",
"p_row_id": "f2c89ec8f09cbc8ca2c1cbdf171a",
"p_schema_version": 0,
"p_source_id": "1f33f64c-124d-413c-a9e3-d51ccedd8e77",
"p_source_label": "Crowdstrike-FDR-Dev",
"timestamp": "2023-04-23 18:50:05.712",
}
- Name: Cisco Umbrella DNS Request (Positive)
ExpectedResult: true
Log:
{
"action": "Allow",
"internalIp": "136.24.229.58",
"externalIp": "136.24.229.58",
"timestamp": "2020-05-21 19:20:25.000",
"responseCode": "NOERROR",
"domain": "c29tZSBsb25nIGJhc2U2NCBzdHJpbmc=.example.io.",
"p_log_type": "CiscoUmbrella.DNS",
}
- Name: Cisco Umbrella DNS Request (Negative)
ExpectedResult: false
Log:
{
"action": "Allow",
"internalIp": "136.24.229.58",
"externalIp": "136.24.229.58",
"timestamp": "2020-05-21 19:20:25.000",
"responseCode": "NOERROR",
"domain": "c29tZSBsb25IGJhc2.example.io.",
"p_log_type": "CiscoUmbrella.DNS",
}
- Name: Crowdstrike no query
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "1331552299",
"ContextProcessId": "21866918",
"ContextThreadId": "43270698197",
"ContextTimeStamp": "2023-04-23 18:50:03.172",
"Entitlements": "15",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "1331552299",
"ContextProcessId": "21866918",
"ContextThreadId": "43270698197",
"ContextTimeStamp": "1682275803.172",
"DnsRequestCount": "1",
"DualRequest": "0",
"EffectiveTransmissionClass": "3",
"Entitlements": "15",
"EventOrigin": "1",
"InterfaceIndex": "0",
"QueryStatus": "9003",
"RequestType": "1",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "DnsRequest",
"id": "4f006a14-0fdf-474e-bfca-021a00a935ad",
"name": "DnsRequestV4",
"timestamp": "1682275805712",
},
"event_platform": "Win",
"event_simpleName": "DnsRequest",
"fdr_event_type": "DnsRequest",
"id": "4f006a14-0fdf-474e-bfca-021a00a935ad",
"name": "DnsRequestV4",
"p_any_domain_names": ["win8.ipv6.microsoft.com"],
"p_any_ip_addresses": ["1.1.1.1"],
"p_any_md5_hashes":
["877761efa8db44d792ddc2redacted", "cfe698690964434083fecdredacted"],
"p_any_trace_ids":
["877761efa8db44d792ddc2redacted", "cfe698690964434083fecdredacted"],
"p_event_time": "2023-04-23 18:50:03.172",
"p_log_type": "Crowdstrike.FDREvent",
"p_parse_time": "2023-04-23 19:00:53.11",
"p_row_id": "f2c89ec8f09cbc8ca2c1cbdf171a",
"p_schema_version": 0,
"p_source_id": "1f33f64c-124d-413c-a9e3-d51ccedd8e77",
"p_source_label": "Crowdstrike-FDR-Dev",
"timestamp": "2023-04-23 18:50:05.712",
}
- Name: Crowdstrike 32-char service ID (Negative)
ExpectedResult: false
Log:
{
"aid": "d825772fcca046f3b2876decaafacd60",
"aip": "83.106.110.25",
"cid": "e4a46c2a445744f7860dcf62bf1b6ad4",
"event":
{
"DomainName": "4ifgvg5jcq6meu7m4acon5vnfa0kocom.cloudfront.net.",
"event_platform": "Win",
"event_simpleName": "DnsRequest",
},
"event_platform": "Win",
"event_simpleName": "DnsRequest",
"fdr_event_type": "DnsRequest",
"p_log_type": "Crowdstrike.FDREvent",
}
- Name: AWS VPC DNS - label decodes to CJK (Negative - isascii fix)
ExpectedResult: false
Log:
{
"account_id": "123456789012",
"p_log_type": "AWS.VPCDns",
"query_class": "IN",
"query_name": "c2VydmljZXPkuK1pZGVudGlmaWVy.serviceregistry.internal",
"query_timestamp": "2024-01-01 00:00:00",
"query_type": "A",
"rcode": "NOERROR",
"region": "us-east-1",
"srcaddr": "10.0.0.1",
"version": "1.000000",
"vpc_id": "vpc-12345678",
}
- Name: AWS VPC DNS - label decodes to pure ASCII exfil data (Positive)
ExpectedResult: true
Log:
{
"account_id": "123456789012",
"p_log_type": "AWS.VPCDns",
"query_class": "IN",
"query_name": "c2VjcmV0LWRhdGEtZXhmaWwtY2h1bms.malicious.com",
"query_timestamp": "2024-01-01 00:00:00",
"query_type": "A",
"rcode": "NOERROR",
"region": "us-east-1",
"srcaddr": "10.0.0.1",
"version": "1.000000",
"vpc_id": "vpc-12345678",
}
Detection logic
Condition
dns_query is_not_null
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
dns_query | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
source_ip |