detection.wiki

Detection rules › Panther

VPC DNS Tunneling

Severity
medium
Tags
Defense Evasion:Network Boundary Bridging
Source
github.com/panther-labs/panther-analysis

Detect dns tunneling traffic using a scheduled query

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1599 Network Boundary Bridging

Rule body yaml

AnalysisType: scheduled_rule
Filename: vpc_dns_tunneling.py
RuleID: "VPC.DNS.Tunneling"
DisplayName: "VPC DNS Tunneling"
Description: >
  Detect dns tunneling traffic using a scheduled query
Reports:
  MITRE ATT&CK:
    - TA0005:T1599
Tags:
  - Defense Evasion:Network Boundary Bridging
Enabled: false
ScheduledQueries:
  - Query.VPC.DNS.Tunneling
Severity: Medium
Tests:
  - Name: Value Returned By Query
    ExpectedResult: true
    Log:
      Anything: any value

Detection logic

Filter

def rule(_):
    return True