Abnormally Large DNS Response

Last updated a year ago on 2024-05-21

Created 5 years ago on 2020-07-16

About

Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.

Tags

Use Case: Threat DetectionTactic: Lateral MovementUse Case: VulnerabilityLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Exploitation of Remote Services (T1210)(opens in a new tab or window)

False Positive Examples

Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: packetbeat-*filebeat-*logs-network_traffic.*
Related Integrations: network_traffic(opens in a new tab or window)
Query

(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and
  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000

Install detection rules in Elastic Security

Detect Abnormally Large DNS Response in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).