npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- Investigating suspected DNS tunneling used for C2 communication or data exfiltration
- Analyzing DNS query logs for signs of encoded payloads in subdomain strings
- Classifying domains as DGA-generated vs. legitimate using statistical or ML methods
- Detecting DNS beaconing patterns (regular intervals, consistent query sizes)
- Hunting for Iodine, dnscat2, dns2tcp, Cobalt Strike DNS, or Sliver DNS traffic
- Monitoring TXT record abuse for command delivery or staged payload download
- Building DNS anomaly detection rules for SOC/SIEM deployment
Do not use for general DNS performance monitoring or DNS configuration auditing; use DNS health monitoring tools for those. For HTTP/HTTPS-based C2 detection, use network traffic analysis skills focused on web protocols.
DISCLAIMER: DNS tunneling tools referenced in this skill (Iodine, dnscat2, dns2tcp) are dual-use. They have legitimate uses (bypassing captive portals, security research) and malicious uses (C2 channels, exfiltration). Only deploy detection in networks you are authorized to monitor. Testing tunneling tools requires explicit authorization.
Prerequisites
- DNS query logs from recursive resolver, Zeek/Bro, Suricata, or passive DNS tap
- Python 3.9+ with
numpy,scikit-learn,pandas,tldextract, anddnspython - Zeek (formerly Bro) with dns.log output or Suricata with DNS EVE JSON logging
- SIEM access (Splunk, Elastic, Microsoft Sentinel) for log correlation
- Passive DNS database access (CIRCL pDNS, Farsight DNSDB, or internal) for enrichment
- Wireshark/tshark for packet-level DNS inspection
- Known-good domain whitelist (Alexa/Tranco top 1M or Majestic Million)
Workflow
Step 1: Collect and Parse DNS Query Logs
Ingest DNS traffic from network sensors and parse into analyzable format:
# Zeek - extract dns.log fields
# Default Zeek dns.log columns:
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query
# qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z
# answers TTLs rejected
# Filter for potentially suspicious record types
cat dns.log | zeek-cut ts id.orig_h query qtype_name answers rcode_name | \
grep -E "TXT|NULL|CNAME|MX" > suspicious_qtypes.log
# Extract unique queried domains
cat dns.log | zeek-cut query | sort -u > unique_domains.txt
# Suricata EVE JSON - extract DNS events
cat eve.json | jq -r 'select(.event_type=="dns") |
[.timestamp, .src_ip, .dns.rrname, .dns.rrtype, .dns.rcode] |
@tsv' > dns_events.tsv
# tshark - extract DNS queries from pcap
tshark -r capture.pcap -T fields \
-e frame.time -e ip.src -e ip.dst \
-e dns.qry.name -e dns.qry.type \
-e dns.resp.type -e dns.txt \
-Y "dns" > dns_queries.tsv
# Count queries per domain (find high-volume destinations)
cat dns.log | zeek-cut query | \
awk -F. '{print $(NF-1)"."$NF}' | \
sort | uniq -c | sort -rn | head -50Step 2: Shannon Entropy Analysis of DNS Queries
Calculate entropy of subdomain strings to identify encoded/encrypted data:
#!/usr/bin/env python3
"""Shannon entropy analysis for DNS query subdomains."""
import math
import csv
import sys
from collections import Counter
try:
import tldextract
HAS_TLDEXTRACT = True
except ImportError:
HAS_TLDEXTRACT = False
def shannon_entropy(data):
"""Calculate Shannon entropy of a string (bits per character)."""
if not data:
return 0.0
counter = Counter(data)
length = len(data)
entropy = -sum(
(count / length) * math.log2(count / length)
for count in counter.values()
)
return entropy
def extract_subdomain(fqdn):
"""Extract the subdomain portion from a fully qualified domain name."""
if HAS_TLDEXTRACT:
ext = tldextract.extract(fqdn)
if ext.subdomain:
return ext.subdomain, f"{ext.domain}.{ext.suffix}"
return "", f"{ext.domain}.{ext.suffix}"
else:
# Fallback: assume last two labels are domain + TLD
parts = fqdn.rstrip(".").split(".")
if len(parts) > 2:
return ".".join(parts[:-2]), ".".join(parts[-2:])
return "", fqdn
def analyze_dns_entropy(queries, entropy_threshold=3.5, length_threshold=30):
"""
Analyze DNS queries for tunneling indicators using entropy.
Thresholds (tunable per environment):
- entropy_threshold: Shannon entropy above this flags as suspicious (3.5-4.0 typical)
- length_threshold: Subdomain length above this flags as suspicious (30-50 chars)
Returns list of flagged queries with scores.
"""
results = []
for query_record in queries:
fqdn = query_record.get("query", "").lower().rstrip(".")
if not fqdn:
continue
subdomain, base_domain = extract_subdomain(fqdn)
if not subdomain:
continue
# Remove dots from subdomain for entropy calculation
subdomain_flat = subdomain.replace(".", "")
if not subdomain_flat:
continue
entropy = shannon_entropy(subdomain_flat)
length = len(subdomain_flat)
label_count = subdomain.count(".") + 1
# Scoring: higher = more suspicious
score = 0.0
flags = []
if entropy > entropy_threshold:
score += (entropy - entropy_threshold) * 25
flags.append(f"high_entropy:{entropy:.2f}")
if length > length_threshold:
score += (length - length_threshold) * 0.5
flags.append(f"long_subdomain:{length}")
if label_count > 4:
score += label_count * 2
flags.append(f"many_labels:{label_count}")
# Check for hex/base32/base64 encoding patterns
hex_ratio = sum(1 for c in subdomain_flat if c in "0123456789abcdef") / max(len(subdomain_flat), 1)
if hex_ratio > 0.85 and length > 20:
score += 20
flags.append("hex_encoded")
b32_chars = set("abcdefghijklmnopqrstuvwxyz234567")
b32_ratio = sum(1 for c in subdomain_flat if c in b32_chars) / max(len(subdomain_flat), 1)
if b32_ratio > 0.95 and length > 20:
score += 15
flags.append("base32_encoded")
# Only report if at least one flag triggered
if flags:
results.append({
"fqdn": fqdn,
"subdomain": subdomain,
"base_domain": base_domain,
"entropy": round(entropy, 4),
"subdomain_length": length,
"label_count": label_count,
"score": round(score, 2),
"flags": flags,
"src_ip": query_record.get("src_ip", ""),
"timestamp": query_record.get("timestamp", ""),
"qtype": query_record.get("qtype", ""),
})
# Sort by score descending
results.sort(key=lambda x: x["score"], reverse=True)
return results
# Thresholds for known tunneling tools
TOOL_SIGNATURES = {
"iodine": {
"subdomain_pattern": r"^[a-z0-9]{50,}$", # Long hex-like subdomains
"common_qtypes": ["NULL", "TXT", "CNAME", "MX", "A"],
"typical_entropy": (3.8, 4.2),
"description": "Iodine DNS tunnel - IPv4 over DNS, uses NULL/TXT records",
},
"dnscat2": {
"subdomain_pattern": r"^dnscat\.|^[a-f0-9]{16,}",
"common_qtypes": ["TXT", "CNAME", "MX", "A"],
"typical_entropy": (3.5, 4.5),
"description": "dnscat2 encrypted C2 channel over DNS",
},
"dns2tcp": {
"subdomain_pattern": r"^[a-z2-7]{20,}", # Base32 encoding
"common_qtypes": ["TXT", "KEY"],
"typical_entropy": (3.6, 4.0),
"description": "dns2tcp tunnel - TCP over DNS using TXT/KEY records",
},
"cobalt_strike_dns": {
"subdomain_pattern": r"^[a-f0-9]{12,}\.",
"common_qtypes": ["A", "AAAA", "TXT"],
"typical_entropy": (3.2, 4.0),
"description": "Cobalt Strike DNS beacon - encoded commands in A/TXT records",
},
}
def print_entropy_report(results, top_n=25):
"""Print formatted entropy analysis report."""
print("=" * 80)
print(" DNS ENTROPY ANALYSIS - TUNNELING DETECTION")
print("=" * 80)
print(f" Suspicious queries found: {len(results)}")
print()
if not results:
print(" No suspicious queries detected.")
return
# Group by base domain
domain_groups = {}
for r in results:
bd = r["base_domain"]
if bd not in domain_groups:
domain_groups[bd] = {"count": 0, "max_entropy": 0, "max_score": 0, "queries": []}
domain_groups[bd]["count"] += 1
domain_groups[bd]["max_entropy"] = max(domain_groups[bd]["max_entropy"], r["entropy"])
domain_groups[bd]["max_score"] = max(domain_groups[bd]["max_score"], r["score"])
domain_groups[bd]["queries"].append(r)
# Sort domains by total suspicious query count
sorted_domains = sorted(domain_groups.items(), key=lambda x: x[1]["count"], reverse=True)
print(" TOP SUSPICIOUS BASE DOMAINS")
print(" " + "-" * 76)
print(f" {'Domain':<35} {'Queries':>8} {'Max Ent':>8} {'Max Score':>10}")
print(" " + "-" * 76)
for domain, data in sorted_domains[:20]:
print(f" {domain:<35} {data['count']:>8} {data['max_entropy']:>8.3f} {data['max_score']:>10.1f}")
print()
print(f" TOP {top_n} HIGHEST-SCORING QUERIES")
print(" " + "-" * 76)
for r in results[:top_n]:
print(f" Score: {r['score']:.1f} Entropy: {r['entropy']:.3f} Len: {r['subdomain_length']}")
print(f" FQDN: {r['fqdn'][:75]}")
print(f" Flags: {', '.join(r['flags'])}")
print(f" Source: {r['src_ip']} Type: {r['qtype']}")
print()Step 3: TXT Record Payload Detection
Identify C2 commands or staged payloads delivered via DNS TXT records:
#!/usr/bin/env python3
"""DNS TXT record payload detection for C2 command delivery."""
import base64
import re
import math
from collections import Counter
def shannon_entropy(data):
"""Calculate Shannon entropy."""
if not data:
return 0.0
counter = Counter(data)
length = len(data)
return -sum((c / length) * math.log2(c / length) for c in counter.values())
def analyze_txt_record(txt_data, domain=""):
"""
Analyze a DNS TXT record response for C2 payload indicators.
Indicators:
- High entropy content (encoded/encrypted payloads)
- Base64-encoded executable content
- PowerShell stager patterns
- Unusually large TXT records (>255 bytes per string, multiple strings)
- Known C2 framework patterns
"""
findings = {
"domain": domain,
"txt_length": len(txt_data),
"entropy": shannon_entropy(txt_data),
"suspicious": False,
"indicators": [],
"decoded_preview": None,
}
# Length check - legitimate TXT records are typically short (SPF, DKIM, verification)
if len(txt_data) > 500:
findings["indicators"].append({
"type": "oversized_txt",
"detail": f"TXT record length {len(txt_data)} exceeds normal threshold (500)",
"severity": "medium",
})
# High entropy - suggests encoded/encrypted payload
if findings["entropy"] > 4.5 and len(txt_data) > 100:
findings["indicators"].append({
"type": "high_entropy_payload",
"detail": f"Entropy {findings['entropy']:.3f} suggests encoded data",
"severity": "high",
})
# Base64 detection
b64_pattern = re.compile(r'^[A-Za-z0-9+/]{40,}={0,2}$')
if b64_pattern.match(txt_data.strip()):
findings["indicators"].append({
"type": "base64_encoded",
"detail": "Content matches base64 pattern",
"severity": "high",
})
try:
decoded = base64.b64decode(txt_data.strip())
preview = decoded[:200]
# Check for PE header (MZ)
if preview[:2] == b'MZ':
findings["indicators"].append({
"type": "pe_executable",
"detail": "Decoded base64 contains PE executable (MZ header)",
"severity": "critical",
})
# Check for ELF header
if preview[:4] == b'\x7fELF':
findings["indicators"].append({
"type": "elf_executable",
"detail": "Decoded base64 contains ELF executable",
"severity": "critical",
})
# Check for PowerShell patterns
decoded_str = decoded.decode("utf-8", errors="ignore")
ps_patterns = [
r"Invoke-Expression",
r"IEX\s*\(",
r"New-Object\s+System\.Net",
r"DownloadString",
r"FromBase64String",
r"Start-Process",
r"\-enc\s",
r"powershell\s.*\-e\s",
]
for pattern in ps_patterns:
if re.search(pattern, decoded_str, re.IGNORECASE):
findings["indicators"].append({
"type": "powershell_stager",
"detail": f"Decoded content contains PowerShell pattern: {pattern}",
"severity": "critical",
})
break
findings["decoded_preview"] = repr(preview[:100])
except Exception:
pass
# Known C2 TXT patterns
cobalt_pattern = re.compile(r'^[a-f0-9]{32,}$', re.IGNORECASE)
if cobalt_pattern.match(txt_data.strip()):
findings["indicators"].append({
"type": "hex_encoded_payload",
"detail": "Pure hex string in TXT record - possible Cobalt Strike beacon config",
"severity": "high",
})
# Multiple concatenated base64 blocks (common in staged delivery)
b64_blocks = re.findall(r'[A-Za-z0-9+/]{50,}={0,2}', txt_data)
if len(b64_blocks) > 3:
findings["indicators"].append({
"type": "multi_block_payload",
"detail": f"{len(b64_blocks)} base64 blocks found - possible staged payload",
"severity": "high",
})
# Check for known legitimate TXT patterns to reduce false positives
legitimate_patterns = [
r'^v=spf1\s', # SPF record
r'^v=DKIM1', # DKIM record
r'^v=DMARC1', # DMARC record
r'^google-site-verification=',
r'^MS=', # Microsoft domain verification
r'^docusign=',
r'^apple-domain-verification=',
r'^facebook-domain-verification=',
r'^_globalsign-domain-verification=',
]
for pattern in legitimate_patterns:
if re.match(pattern, txt_data, re.IGNORECASE):
findings["indicators"] = []
findings["legitimate"] = True
return findings
findings["suspicious"] = len(findings["indicators"]) > 0
return findings
def analyze_txt_records_bulk(records):
"""Analyze a batch of DNS TXT records."""
results = []
for record in records:
domain = record.get("domain", record.get("query", ""))
txt_data = record.get("txt", record.get("answer", ""))
if txt_data:
finding = analyze_txt_record(txt_data, domain)
if finding["suspicious"]:
results.append(finding)
results.sort(
key=lambda x: max((i.get("severity_score", 0) for i in x["indicators"]),
default=0),
reverse=True,
)
return resultsStep 4: DGA Domain Classification with Machine Learning
Train a classifier to distinguish DGA-generated domains from legitimate ones:
#!/usr/bin/env python3
"""
DGA domain classification using character-level feature extraction and ML.
Features extracted per domain:
- Shannon entropy of the domain string
- Domain length
- Digit ratio, consonant ratio, vowel ratio
- Longest consecutive consonant sequence
- N-gram frequency deviation from English
- Number of distinct characters
- Presence of dictionary words
"""
import math
import re
import string
from collections import Counter
import numpy as np
try:
from sklearn.ensemble import RandomForestClassifier, GradientBoostingClassifier
from sklearn.model_selection import train_test_split, cross_val_score
from sklearn.metrics import classification_report, confusion_matrix
from sklearn.preprocessing import StandardScaler
HAS_SKLEARN = True
except ImportError:
HAS_SKLEARN = False
# English language character bigram frequencies (normalized, top bigrams)
# Source: Peter Norvig's English letter frequency analysis
ENGLISH_BIGRAMS = {
"th": 0.0356, "he": 0.0307, "in": 0.0243, "er": 0.0205,
"an": 0.0199, "re": 0.0185, "on": 0.0176, "at": 0.0149,
"en": 0.0145, "nd": 0.0135, "ti": 0.0134, "es": 0.0134,
"or": 0.0128, "te": 0.0120, "of": 0.0117, "ed": 0.0117,
"is": 0.0113, "it": 0.0112, "al": 0.0109, "ar": 0.0107,
"st": 0.0105, "to": 0.0104, "nt": 0.0104, "ng": 0.0095,
"se": 0.0093, "ha": 0.0093, "as": 0.0087, "ou": 0.0087,
"io": 0.0083, "le": 0.0083, "ve": 0.0083, "co": 0.0079,
"me": 0.0079, "de": 0.0076, "hi": 0.0076, "ri": 0.0073,
"ro": 0.0073, "ic": 0.0070, "ne": 0.0069, "ea": 0.0069,
}
VOWELS = set("aeiou")
CONSONANTS = set("bcdfghjklmnpqrstvwxyz")
def extract_domain_features(domain):
"""Extract numerical features from a domain name for ML classification."""
domain = domain.lower().strip(".")
# Remove TLD for analysis (focus on SLD + subdomain)
parts = domain.split(".")
if len(parts) > 1:
analysis_str = ".".join(parts[:-1]) # Drop TLD
else:
analysis_str = domain
# Remove dots for character analysis
flat = analysis_str.replace(".", "")
length = len(flat)
if length == 0:
return None
# 1. Shannon entropy
entropy = 0.0
counter = Counter(flat)
for count in counter.values():
p = count / length
entropy -= p * math.log2(p)
# 2. Character ratios
digit_count = sum(1 for c in flat if c.isdigit())
vowel_count = sum(1 for c in flat if c in VOWELS)
consonant_count = sum(1 for c in flat if c in CONSONANTS)
special_count = sum(1 for c in flat if c == '-')
digit_ratio = digit_count / length
vowel_ratio = vowel_count / length
consonant_ratio = consonant_count / length
# 3. Longest consecutive consonant run
max_consonant_run = 0
current_run = 0
for c in flat:
if c in CONSONANTS:
current_run += 1
max_consonant_run = max(max_consonant_run, current_run)
else:
current_run = 0
# 4. Distinct character count and ratio
distinct_chars = len(set(flat))
distinct_ratio = distinct_chars / length
# 5. Bigram frequency deviation from English
bigrams = [flat[i:i+2] for i in range(len(flat) - 1)]
if bigrams:
english_score = sum(
ENGLISH_BIGRAMS.get(bg, 0) for bg in bigrams
) / len(bigrams)
else:
english_score = 0
# 6. Number of labels (dots + 1)
label_count = len(parts)
# 7. Hex character ratio (common in DGA)
hex_chars = set("0123456789abcdef")
hex_ratio = sum(1 for c in flat if c in hex_chars) / length
# 8. Digit-letter transitions (DGA domains mix digits and letters)
transitions = 0
for i in range(1, len(flat)):
if (flat[i].isdigit() != flat[i-1].isdigit()):
transitions += 1
transition_ratio = transitions / max(length - 1, 1)
# 9. Repeated character ratio
if length > 1:
repeats = sum(1 for i in range(1, len(flat)) if flat[i] == flat[i-1])
repeat_ratio = repeats / (length - 1)
else:
repeat_ratio = 0
return {
"domain": domain,
"length": length,
"entropy": round(entropy, 4),
"digit_ratio": round(digit_ratio, 4),
"vowel_ratio": round(vowel_ratio, 4),
"consonant_ratio": round(consonant_ratio, 4),
"max_consonant_run": max_consonant_run,
"distinct_chars": distinct_chars,
"distinct_ratio": round(distinct_ratio, 4),
"english_bigram_score": round(english_score, 6),
"label_count": label_count,
"hex_ratio": round(hex_ratio, 4),
"transition_ratio": round(transition_ratio, 4),
"repeat_ratio": round(repeat_ratio, 4),
"special_count": special_count,
}
FEATURE_COLUMNS = [
"length", "entropy", "digit_ratio", "vowel_ratio", "consonant_ratio",
"max_consonant_run", "distinct_chars", "distinct_ratio",
"english_bigram_score", "label_count", "hex_ratio",
"transition_ratio", "repeat_ratio", "special_count",
]
def features_to_vector(features):
"""Convert feature dict to numpy array."""
return np.array([features[col] for col in FEATURE_COLUMNS])
def train_dga_classifier(legitimate_domains, dga_domains, model_type="random_forest"):
"""
Train a DGA classifier on labeled domain lists.
Args:
legitimate_domains: list of known-good domain strings
dga_domains: list of known DGA domain strings
model_type: 'random_forest' or 'gradient_boosting'
Returns:
trained model, scaler, and evaluation metrics
"""
if not HAS_SKLEARN:
print("[ERROR] scikit-learn required: pip install scikit-learn")
return None, None, None
# Extract features
X_legit = []
X_dga = []
for d in legitimate_domains:
feats = extract_domain_features(d)
if feats:
X_legit.append(features_to_vector(feats))
for d in dga_domains:
feats = extract_domain_features(d)
if feats:
X_dga.append(features_to_vector(feats))
if not X_legit or not X_dga:
print("[ERROR] Insufficient feature data")
return None, None, None
X = np.vstack([np.array(X_legit), np.array(X_dga)])
y = np.array([0] * len(X_legit) + [1] * len(X_dga))
# Scale features
scaler = StandardScaler()
X_scaled = scaler.fit_transform(X)
# Train/test split
X_train, X_test, y_train, y_test = train_test_split(
X_scaled, y, test_size=0.2, random_state=42, stratify=y
)
# Train model
if model_type == "gradient_boosting":
model = GradientBoostingClassifier(
n_estimators=200, max_depth=6, learning_rate=0.1,
min_samples_split=10, random_state=42,
)
else:
model = RandomForestClassifier(
n_estimators=200, max_depth=15, min_samples_split=5,
random_state=42, n_jobs=-1,
)
model.fit(X_train, y_train)
# Evaluate
y_pred = model.predict(X_test)
report = classification_report(y_test, y_pred, target_names=["legitimate", "dga"],
output_dict=True)
cm = confusion_matrix(y_test, y_pred)
# Cross-validation
cv_scores = cross_val_score(model, X_scaled, y, cv=5, scoring="f1")
metrics = {
"accuracy": report["accuracy"],
"precision_dga": report["dga"]["precision"],
"recall_dga": report["dga"]["recall"],
"f1_dga": report["dga"]["f1-score"],
"precision_legit": report["legitimate"]["precision"],
"recall_legit": report["legitimate"]["recall"],
"confusion_matrix": cm.tolist(),
"cv_f1_mean": cv_scores.mean(),
"cv_f1_std": cv_scores.std(),
"feature_importance": dict(zip(
FEATURE_COLUMNS,
[round(float(x), 4) for x in model.feature_importances_]
)),
}
print(f"[+] Model trained: {model_type}")
print(f" Accuracy: {metrics['accuracy']:.4f}")
print(f" DGA F1: {metrics['f1_dga']:.4f}")
print(f" DGA Recall: {metrics['recall_dga']:.4f}")
print(f" CV F1 (5-fold): {metrics['cv_f1_mean']:.4f} +/- {metrics['cv_f1_std']:.4f}")
print(f" Top features: ", end="")
top_feats = sorted(metrics["feature_importance"].items(), key=lambda x: x[1], reverse=True)[:5]
print(", ".join(f"{k}={v:.3f}" for k, v in top_feats))
return model, scaler, metrics
def classify_domains(domains, model, scaler):
"""Classify a list of domains as legitimate or DGA using a trained model."""
results = []
for domain in domains:
feats = extract_domain_features(domain)
if feats is None:
continue
vec = features_to_vector(feats).reshape(1, -1)
vec_scaled = scaler.transform(vec)
prediction = model.predict(vec_scaled)[0]
probability = model.predict_proba(vec_scaled)[0]
results.append({
"domain": domain,
"prediction": "dga" if prediction == 1 else "legitimate",
"confidence": round(float(max(probability)), 4),
"dga_probability": round(float(probability[1]), 4),
"features": feats,
})
return resultsStep 5: DNS Beaconing Pattern Detection
Identify periodic DNS query patterns indicative of C2 check-ins:
#!/usr/bin/env python3
"""DNS beaconing detection - identifies periodic C2 check-in patterns."""
import math
from collections import defaultdict
from datetime import datetime, timedelta
import numpy as np
def parse_timestamp(ts_str):
"""Parse various timestamp formats to datetime."""
formats = [
"%Y-%m-%dT%H:%M:%S.%fZ",
"%Y-%m-%dT%H:%M:%S.%f",
"%Y-%m-%dT%H:%M:%S",
"%Y-%m-%d %H:%M:%S.%f",
"%Y-%m-%d %H:%M:%S",
]
for fmt in formats:
try:
return datetime.strptime(ts_str, fmt)
except ValueError:
continue
# Try epoch timestamp
try:
ts_float = float(ts_str)
return datetime.utcfromtimestamp(ts_float)
except (ValueError, OverflowError, OSError):
pass
return None
def detect_beaconing(dns_queries, min_queries=10, max_jitter_pct=25,
min_interval_sec=10, max_interval_sec=7200):
"""
Detect DNS beaconing by analyzing inter-query timing intervals.
Beaconing indicators:
- Regular inter-query intervals (low standard deviation)
- Consistent query sizes
- Single source IP to single domain over extended period
- Low jitter (variation in timing)
Args:
dns_queries: list of dicts with 'src_ip', 'query', 'timestamp'
min_queries: minimum queries to analyze (default 10)
max_jitter_pct: maximum coefficient of variation for beacon (default 25%)
min_interval_sec: minimum beacon interval to detect (default 10s)
max_interval_sec: maximum beacon interval to detect (default 7200s / 2hr)
Returns:
list of detected beacon patterns with confidence scores
"""
# Group queries by (source IP, base domain)
groups = defaultdict(list)
for q in dns_queries:
src_ip = q.get("src_ip", "")
fqdn = q.get("query", "").lower().rstrip(".")
ts_str = q.get("timestamp", "")
ts = parse_timestamp(ts_str)
if not ts or not src_ip or not fqdn:
continue
# Extract base domain (last 2 labels)
parts = fqdn.split(".")
if len(parts) >= 2:
base_domain = ".".join(parts[-2:])
else:
base_domain = fqdn
groups[(src_ip, base_domain)].append(ts)
beacons = []
for (src_ip, base_domain), timestamps in groups.items():
if len(timestamps) < min_queries:
continue
# Sort timestamps and compute intervals
timestamps.sort()
intervals = [
(timestamps[i+1] - timestamps[i]).total_seconds()
for i in range(len(timestamps) - 1)
]
if not intervals:
continue
intervals = np.array(intervals)
# Filter out zero intervals (duplicate timestamps)
intervals = intervals[intervals > 0]
if len(intervals) < min_queries - 1:
continue
mean_interval = np.mean(intervals)
std_interval = np.std(intervals)
median_interval = np.median(intervals)
# Skip if interval is outside detection range
if mean_interval < min_interval_sec or mean_interval > max_interval_sec:
continue
# Coefficient of variation (jitter)
cv = (std_interval / mean_interval * 100) if mean_interval > 0 else 100
# Time span of activity
time_span = (timestamps[-1] - timestamps[0]).total_seconds()
hours_active = time_span / 3600
# Beacon scoring
score = 0.0
flags = []
# Low jitter = strong beacon indicator
if cv < 5:
score += 40
flags.append(f"very_low_jitter:CV={cv:.1f}%")
elif cv < 15:
score += 30
flags.append(f"low_jitter:CV={cv:.1f}%")
elif cv < max_jitter_pct:
score += 15
flags.append(f"moderate_jitter:CV={cv:.1f}%")
else:
continue # Too much jitter, not a beacon
# Long duration increases confidence
if hours_active > 24:
score += 20
flags.append(f"persistent:{hours_active:.1f}h")
elif hours_active > 4:
score += 10
flags.append(f"sustained:{hours_active:.1f}h")
# High query count increases confidence
if len(timestamps) > 100:
score += 15
flags.append(f"high_volume:{len(timestamps)}")
elif len(timestamps) > 50:
score += 10
flags.append(f"moderate_volume:{len(timestamps)}")
# Common C2 intervals (60s, 120s, 300s, 600s, 900s, 1800s, 3600s)
common_intervals = [60, 120, 300, 600, 900, 1800, 3600]
for ci in common_intervals:
if abs(mean_interval - ci) < ci * 0.1: # Within 10% of common interval
score += 10
flags.append(f"common_c2_interval:~{ci}s")
break
beacons.append({
"src_ip": src_ip,
"base_domain": base_domain,
"query_count": len(timestamps),
"mean_interval_sec": round(mean_interval, 2),
"median_interval_sec": round(median_interval, 2),
"std_interval_sec": round(std_interval, 2),
"jitter_cv_pct": round(cv, 2),
"first_seen": timestamps[0].isoformat(),
"last_seen": timestamps[-1].isoformat(),
"duration_hours": round(hours_active, 2),
"score": round(score, 1),
"flags": flags,
})
beacons.sort(key=lambda x: x["score"], reverse=True)
return beacons
def print_beacon_report(beacons, top_n=20):
"""Print formatted beacon detection report."""
print("=" * 80)
print(" DNS BEACONING DETECTION REPORT")
print("=" * 80)
print(f" Beacon patterns detected: {len(beacons)}")
print()
if not beacons:
print(" No beaconing patterns detected.")
return
print(f" TOP {min(top_n, len(beacons))} BEACON CANDIDATES")
print(" " + "-" * 76)
for b in beacons[:top_n]:
print(f" Score: {b['score']:.1f} | {b['src_ip']} -> {b['base_domain']}")
print(f" Queries: {b['query_count']} "
f"Interval: {b['mean_interval_sec']:.1f}s +/- {b['std_interval_sec']:.1f}s "
f"Jitter: {b['jitter_cv_pct']:.1f}%")
print(f" Active: {b['duration_hours']:.1f}h "
f"({b['first_seen']} to {b['last_seen']})")
print(f" Flags: {', '.join(b['flags'])}")
print()Step 6: Integrated DNS C2 Detection Pipeline
Combine all detection methods into a unified analysis:
DNS C2 Detection Pipeline Architecture:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
┌────────────────────────────────────────────────────────┐
│ DATA SOURCES │
│ Zeek dns.log | Suricata EVE | Recursive Resolver │
│ Passive DNS | PCAP capture | EDR DNS telemetry │
└───────────────────────┬────────────────────────────────┘
│
┌───────────────────────▼────────────────────────────────┐
│ PREPROCESSING │
│ Parse timestamps | Extract subdomains | Normalize │
│ FQDN | Resolve base domain | Lookup in whitelist │
└───────────────────────┬────────────────────────────────┘
│
┌───────────────┼───────────────┐
│ │ │
┌───────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐
│ ENTROPY │ │ BEACONING │ │ DGA │
│ ANALYSIS │ │ DETECTION │ │ CLASSIFIER │
│ │ │ │ │ │
│ Shannon ent. │ │ Interval │ │ ML model │
│ Subdomain │ │ analysis │ │ Random │
│ length │ │ Jitter/CV │ │ Forest or │
│ Encoding │ │ Duration │ │ Gradient │
│ patterns │ │ Periodicity │ │ Boosting │
└───────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
┌───────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐
│ TXT RECORD │ │ TOOL │ │ PASSIVE │
│ PAYLOAD │ │ SIGNATURE │ │ DNS │
│ ANALYSIS │ │ MATCHING │ │ ENRICHMENT │
│ │ │ │ │ │
│ Base64 decode│ │ Iodine │ │ First seen │
│ PE/ELF detect│ │ dnscat2 │ │ Registrar │
│ PS stager │ │ dns2tcp │ │ Age check │
│ Size anomaly │ │ Cobalt DNS │ │ Reputation │
└───────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
┌───────▼───────────────▼───────────────▼────────────────┐
│ CORRELATION ENGINE │
│ Combine scores from all detectors │
│ Weighted scoring: entropy(30%) + beacon(25%) + │
│ DGA(20%) + TXT payload(15%) + signature(10%) │
│ Threshold: score > 60 = alert, > 40 = investigate │
└───────────────────────┬────────────────────────────────┘
│
┌───────────────────────▼────────────────────────────────┐
│ ALERTING & RESPONSE │
│ Generate SIEM alert with all evidence │
│ Block domain in DNS firewall / RPZ │
│ Isolate endpoint via EDR │
│ Create incident ticket with IOCs │
└────────────────────────────────────────────────────────┘Step 7: SIEM Detection Rules
Deploy detection queries in your SIEM platform:
Splunk SPL - DNS Tunneling Detection:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-- High entropy subdomain queries
index=dns sourcetype="bro:dns:json" OR sourcetype="suricata:dns"
| eval subdomain=mvindex(split(query,"."),0)
| eval sub_len=len(subdomain)
| where sub_len > 30
| eval char_counts=mvmap(split(subdomain,""),1)
| lookup dns_entropy_lookup subdomain OUTPUT entropy
| where entropy > 3.5
| stats count as query_count dc(query) as unique_queries
avg(sub_len) as avg_sub_len values(query) as sample_queries
by src_ip, domain
| where query_count > 20
| sort -query_count
-- DNS TXT record abuse
index=dns (qtype="TXT" OR qtype_name="TXT")
NOT (query="*._domainkey.*" OR query="*._dmarc.*" OR query="*._spf.*")
| stats count as txt_queries dc(query) as unique_txt_queries
values(query) as domains
by src_ip
| where txt_queries > 50
| sort -txt_queries
-- DNS beaconing (regular interval queries)
index=dns sourcetype="bro:dns:json"
| bin _time span=60s
| stats count by src_ip, query, _time
| streamstats window=10 current=t avg(count) as avg_count stdev(count) as std_count by src_ip, query
| eval cv = if(avg_count>0, (std_count/avg_count)*100, 100)
| where cv < 20 AND avg_count > 0
| stats count as beacon_windows avg(cv) as avg_jitter
min(_time) as first_seen max(_time) as last_seen
by src_ip, query
| where beacon_windows > 10
| sort -beacon_windows
-- Unusual record type volume (NULL, KEY, SRV for tunneling)
index=dns (qtype_name="NULL" OR qtype_name="KEY" OR qtype_name="SRV"
OR qtype_name="CNAME" OR qtype_name="MX")
NOT qtype_name="A" NOT qtype_name="AAAA" NOT qtype_name="PTR"
| stats count by src_ip, qtype_name, query
| where count > 10
| sort -countElastic KQL - DNS C2 Detection:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-- Long subdomain queries (potential tunneling)
dns.question.name: * and not dns.question.name: *.in-addr.arpa
| where length(dns.question.subdomain) > 40
-- High volume DNS to single domain
event.dataset: "zeek.dns" or event.dataset: "suricata.dns"
| stats count by source.ip, dns.question.registered_domain
| where count > 500
-- TXT record queries to non-standard domains
dns.question.type: "TXT"
and not dns.question.name: (*._domainkey.* or *._dmarc.* or *._spf.*)Zeek Script - DNS Tunneling Indicator:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# dns_tunnel_detect.zeek
@load base/protocols/dns
module DNSTunnel;
export {
redef enum Notice::Type += {
DNS_Tunneling_Suspected,
DNS_High_Entropy_Query,
DNS_Excessive_TXT_Queries,
};
const entropy_threshold = 3.5 &redef;
const subdomain_length_threshold = 40 &redef;
const txt_query_threshold = 50 &redef;
const tracking_interval = 5min &redef;
}
global txt_query_tracker: table[addr] of count &create_expire=5min &default=0;
global domain_query_tracker: table[addr, string] of count &create_expire=10min &default=0;
function shannon_entropy(s: string): double
{
local counts: table[string] of count;
local total = |s|;
if (total == 0) return 0.0;
for (i in s)
{
local c = s[i];
if (c !in counts) counts[c] = 0;
++counts[c];
}
local ent = 0.0;
for (ch, cnt in counts)
{
local p = cnt * 1.0 / total;
ent -= p * log2(p);
}
return ent;
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count,
qclass: count)
{
if (|query| == 0) return;
# Track TXT queries
if (qtype == 16) # TXT
{
++txt_query_tracker[c$id$orig_h];
if (txt_query_tracker[c$id$orig_h] == txt_query_threshold)
{
NOTICE([
$note=DNS_Excessive_TXT_Queries,
$conn=c,
$msg=fmt("Host %s made %d TXT queries in tracking window",
c$id$orig_h, txt_query_threshold),
$identifier=cat(c$id$orig_h),
]);
}
}
# Extract subdomain and check entropy
local parts = split_string(query, /\./);
if (|parts| < 3) return;
# Subdomain = everything except last two labels
local subdomain = "";
local i = 0;
for (idx in parts)
{
if (i < |parts| - 2)
subdomain += parts[idx];
++i;
}
if (|subdomain| > subdomain_length_threshold)
{
local ent = shannon_entropy(subdomain);
if (ent > entropy_threshold)
{
NOTICE([
$note=DNS_High_Entropy_Query,
$conn=c,
$msg=fmt("High entropy DNS query: entropy=%.2f len=%d query=%s",
ent, |subdomain|, query),
$identifier=cat(c$id$orig_h, query),
]);
}
}
}Step 8: Suricata Rules for Known DNS C2 Tools
# suricata-dns-c2.rules
# DNS Tunneling and C2 Detection Rules
# Iodine DNS tunnel detection
alert dns any any -> any any (msg:"ET TROJAN Iodine DNS Tunnel Activity - NULL Query"; \
dns.query; content:"."; pcre:"/^[a-z0-9]{50,}\.[a-z0-9.-]+$/i"; \
dns_query; content:"|00 0a|"; \
classtype:trojan-activity; sid:2030001; rev:1;)
# dnscat2 DNS tunnel detection
alert dns any any -> any any (msg:"ET TROJAN dnscat2 DNS Tunnel - Handshake"; \
dns.query; content:"dnscat."; nocase; fast_pattern; \
classtype:trojan-activity; sid:2030002; rev:1;)
alert dns any any -> any any (msg:"ET TROJAN dnscat2 DNS Tunnel - Data Channel"; \
dns.query; pcre:"/^[a-f0-9]{16,}\./i"; \
dns_query; content:"|00 10|"; \
classtype:trojan-activity; sid:2030003; rev:1;)
# Cobalt Strike DNS beacon
alert dns any any -> any any (msg:"ET TROJAN Cobalt Strike DNS Beacon - A Record"; \
dns.query; pcre:"/^[a-f0-9]{12,}\.[a-z0-9.-]+$/i"; \
threshold:type both, track by_src, count 20, seconds 60; \
classtype:trojan-activity; sid:2030004; rev:1;)
# Generic DNS tunneling - high volume TXT queries to single domain
alert dns any any -> any any (msg:"ET POLICY Excessive TXT DNS Queries - Possible Tunneling"; \
dns_query; content:"|00 10|"; \
threshold:type threshold, track by_src, count 50, seconds 300; \
classtype:policy-violation; sid:2030005; rev:1;)
# Long subdomain query (generic tunneling indicator)
alert dns any any -> any any (msg:"ET POLICY Unusually Long DNS Subdomain - Possible Tunneling"; \
dns.query; pcre:"/^[a-z0-9-]{52,}\./i"; \
threshold:type limit, track by_src, count 1, seconds 60; \
classtype:policy-violation; sid:2030006; rev:1;)
# DNS query for known C2 TXT payload staging
alert dns any any -> any any (msg:"ET TROJAN DNS TXT Record Staged Payload Request"; \
dns_query; content:"|00 10|"; \
dns.query; pcre:"/^(stage|payload|cmd|exec|download|update|config)\d*\./i"; \
classtype:trojan-activity; sid:2030007; rev:1;)Key Concepts
| Term | Definition |
|---|---|
| DNS Tunneling | Technique of encoding data within DNS queries and responses to create a covert communication channel, bypassing firewalls that allow DNS traffic |
| Shannon Entropy | Information theory metric measuring randomness in a string; legitimate domains typically have entropy below 3.5, while encoded tunnel data exceeds 3.8-4.5 |
| Domain Generation Algorithm (DGA) | Malware technique that algorithmically generates thousands of pseudo-random domain names for C2 rendezvous, making domain-based blocking impractical |
| DNS Beaconing | Regular, periodic DNS queries from a compromised host to a C2 domain, identifiable by consistent inter-query intervals and low timing jitter |
| TXT Record Abuse | Using DNS TXT records to deliver encoded C2 commands or staged payloads, exploiting the large payload capacity (up to 65535 bytes across multiple strings) |
| Iodine | Open-source DNS tunneling tool that tunnels IPv4 traffic through DNS using NULL, TXT, or CNAME records, commonly used to bypass captive portals |
| dnscat2 | Encrypted C2 tool that creates a command channel over DNS, supporting file transfer, port forwarding, and shell access through DNS queries |
| Cobalt Strike DNS Beacon | Commercial C2 framework's DNS communication mode that uses A, AAAA, and TXT records to receive tasks and return results via DNS resolution |
| Passive DNS (pDNS) | Database of historical DNS resolution data collected by monitoring DNS traffic; used to identify infrastructure reuse and domain history |
| Response Policy Zone (RPZ) | DNS firewall mechanism that allows real-time blocking of malicious domains by injecting override responses at the recursive resolver level |
| Coefficient of Variation | Standard deviation divided by mean, expressed as percentage; used to measure beacon jitter -- lower CV indicates more regular (suspicious) timing |
| NXDOMAIN | DNS response code indicating the queried domain does not exist; high NXDOMAIN rates from a host suggest DGA activity where most generated domains are unregistered |
Tools & Systems
- Zeek (Bro): Network security monitor that produces structured dns.log with query/response details for offline analysis
- Suricata: IDS/IPS with DNS protocol parsing and signature-based detection of tunneling patterns
- tshark/Wireshark: Packet capture and analysis tools for deep DNS protocol inspection
- tldextract: Python library for accurate domain/subdomain extraction using the Public Suffix List
- dnspython: Python DNS toolkit for programmatic query resolution and record parsing
- scikit-learn: ML library used to train DGA classifiers (Random Forest, Gradient Boosting)
- Farsight DNSDB / CIRCL pDNS: Passive DNS databases for historical domain resolution lookups
- DNS Response Policy Zone (RPZ): Recursive resolver feature for real-time DNS blocking of identified C2 domains
- Splunk / Elastic: SIEM platforms for DNS log aggregation, entropy calculation, and beacon detection queries
Common Scenarios
Scenario: Investigating Suspected DNS Tunneling from an Internal Host
Context: The SOC receives an alert from the DNS firewall showing a single internal host (10.1.5.42) making 15,000+ DNS queries to the domain c8a3f1e2.tunnelsvc.example.com in the past hour. All queries are TXT type with long, random-looking subdomains. Normal DNS volume for this host is ~200 queries/hour.
Approach:
- Extract all DNS queries from 10.1.5.42 for the past 24 hours from Zeek dns.log
- Run entropy analysis on subdomain strings -- expect Shannon entropy > 4.0 for encoded tunnel data
- Check query timing intervals for beaconing pattern (likely sub-second for active tunnel)
- Examine TXT record responses for size anomalies (tunnel tools use maximum-size TXT responses)
- Compare subdomain patterns against known tool signatures (Iodine, dnscat2, dns2tcp)
- Query passive DNS for
tunnelsvc.example.comregistration date, nameserver, and historical resolutions - If confirmed, add domain to DNS RPZ blocklist and isolate endpoint via EDR
- Capture full packet trace for forensic analysis of tunnel payload content
Pitfalls:
- Blocking the domain before capturing evidence (need packet captures for forensics)
- Assuming all high-entropy DNS is malicious (CDN subdomains like Akamai can have high entropy)
- Not checking for multiple tunnel domains (attacker may have fallback C2 channels)
- Missing the initial compromise vector by focusing only on the DNS channel
- Not checking other hosts for similar patterns (lateral movement may have already occurred)
Scenario: Building a DGA Detection Model for SOC Deployment
Context: The threat intelligence team identified that a botnet family active in the industry uses DGA for C2 domain generation. The SOC needs an automated way to classify DNS queries as potentially DGA-generated and alert on matches.
Approach:
- Collect training data: Tranco/Alexa top 1M for legitimate domains, DGArchive or OSINT feeds for known DGA domains
- Extract character-level features: entropy, length, digit ratio, consonant sequences, bigram scores
- Train Random Forest and Gradient Boosting classifiers, evaluate with 5-fold cross-validation
- Deploy the model as a scoring enrichment in the SIEM (Splunk ML Toolkit or Elastic ML)
- Set threshold: DGA probability > 0.85 generates alert, > 0.65 generates investigation ticket
- Create a whitelist of known high-entropy legitimate domains (CDNs, cloud services) to reduce false positives
- Retrain monthly with new DGA samples from threat intel feeds
Pitfalls:
- Training only on one DGA family and missing others (dictionary-based DGAs like Suppobox have low entropy)
- Not whitelisting CDN and cloud service domains that have randomized subdomains
- Setting the threshold too low, overwhelming the SOC with false positives
- Not accounting for punycode/internationalized domain names in feature extraction
- Deploying without a feedback loop for analysts to flag false positives for model retraining
Output Format
DNS C2 DETECTION ANALYSIS REPORT
====================================
Analysis Period: 2026-03-15 00:00 to 2026-03-19 23:59
Data Source: Zeek dns.log (gateway sensor)
Total Queries: 14,283,501
Unique Domains: 892,041
Hosts Analyzed: 3,847
ENTROPY ANALYSIS
Queries with entropy > 3.5: 2,847 (0.02%)
Queries with subdomain > 40 chars: 1,203 (0.008%)
Suspicious base domains: 12
[CRITICAL] tunnelsvc.example[.]com
Queries: 15,247 Source: 10.1.5.42 Avg Entropy: 4.21
Avg Subdomain Length: 63 Record Types: TXT (98%), A (2%)
Tool Signature: dnscat2 (hex prefix pattern match)
[HIGH] update-cdn.malicious[.]net
Queries: 3,891 Source: 10.1.12.7 Avg Entropy: 3.87
Avg Subdomain Length: 48 Record Types: A (60%), TXT (40%)
Tool Signature: Cobalt Strike DNS beacon (interval pattern)
BEACONING DETECTION
Beacon patterns detected: 4
Score: 85.0 10.1.5.42 -> tunnelsvc.example[.]com
Interval: 0.5s +/- 0.1s Jitter: 8.2% Duration: 18.4h
Queries: 15,247 Flags: very_low_jitter, persistent, high_volume
Score: 72.0 10.1.12.7 -> update-cdn.malicious[.]net
Interval: 60.2s +/- 3.1s Jitter: 5.1% Duration: 72.1h
Queries: 3,891 Flags: very_low_jitter, persistent, common_c2_interval:~60s
DGA CLASSIFICATION
Domains classified: 892,041
DGA predictions (>0.85 conf): 47
DGA predictions (0.65-0.85): 183
[HIGH] a8f3k2m1x9.com (DGA prob: 0.97, entropy: 3.92)
[HIGH] j7t2p5q8w3.net (DGA prob: 0.95, entropy: 4.01)
[HIGH] m3x8k1f6y2.org (DGA prob: 0.94, entropy: 3.88)
TXT RECORD ANALYSIS
Suspicious TXT responses: 8
Base64 payloads detected: 3
PowerShell stager patterns: 1
[CRITICAL] cmd.staging[.]example.com
TXT Length: 4,096 Entropy: 5.82
Finding: Base64-encoded PowerShell stager with IEX pattern
RECOMMENDED ACTIONS
[CRITICAL] Block tunnelsvc.example[.]com and update-cdn.malicious[.]net in DNS RPZ
[CRITICAL] Isolate hosts 10.1.5.42 and 10.1.12.7 for forensic investigation
[HIGH] Block 47 high-confidence DGA domains in DNS firewall
[HIGH] Investigate cmd.staging[.]example.com TXT payload staging
[MEDIUM] Review 183 moderate-confidence DGA domains with threat intel
[MEDIUM] Deploy Suricata rules for dnscat2 and Cobalt Strike DNS signaturesReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md8.1 KB
DNS C2 Detection API Reference
MITRE ATT&CK Mapping
| Technique | ID | Description |
|---|---|---|
| Application Layer Protocol: DNS | T1071.004 | C2 communication over DNS protocol |
| Exfiltration Over Alternative Protocol | T1048 | Data exfiltration via DNS tunneling |
| Dynamic Resolution: Domain Generation Algorithms | T1568.002 | DGA-based C2 infrastructure |
| Protocol Tunneling | T1572 | Tunneling arbitrary traffic through DNS |
| Encrypted Channel | T1573 | Encrypted C2 payloads in DNS records |
DNS Record Types Used in C2
| Record Type | Typical C2 Use | Max Data Per Query |
|---|---|---|
| A | Beacon check-in, small responses (IP-encoded) | 4 bytes (IPv4 address) |
| AAAA | Beacon check-in, slightly larger responses | 16 bytes (IPv6 address) |
| TXT | Command delivery, large payload transfer | ~255 bytes per string, multiple strings |
| CNAME | Data exfiltration in subdomain, response tunneling | ~253 bytes |
| MX | Data tunneling via preference + exchange fields | ~253 bytes |
| NULL | Iodine tunnel primary record type | ~65535 bytes |
| SRV | C2 with port/priority metadata | ~253 bytes |
Shannon Entropy Thresholds
| Entropy Range | Classification | Typical Source |
|---|---|---|
| 0.0 - 2.0 | Very low | Single-character or trivial labels |
| 2.0 - 3.0 | Normal | Common English-based domain labels |
| 3.0 - 3.5 | Elevated | Long or mixed-case labels, some CDNs |
| 3.5 - 4.0 | Suspicious | Hex-encoded data, base32 encoding, DGA |
| 4.0 - 4.5 | High | DNS tunneling (Iodine, dnscat2, dns2tcp) |
| 4.5+ | Very high | Encrypted or base64-encoded payloads |
Known Tunneling Tool Signatures
Iodine
- Encoding: Base32, Base64, Base128, Raw
- Record types: NULL (primary), TXT, CNAME, MX, A
- Subdomain pattern: Long alphanumeric strings (50+ chars)
- Entropy range: 3.8 - 4.2
- Detection: High query volume to single domain, NULL record type queries
dnscat2
- Encoding: Hex-encoded, encrypted
- Record types: TXT, CNAME, MX, A
- Subdomain pattern: Hex strings (16+ chars), optional
dnscat.prefix - Entropy range: 3.5 - 4.5
- Detection: Consistent query intervals, hex-only subdomain labels
dns2tcp
- Encoding: Base32
- Record types: TXT, KEY
- Subdomain pattern: Base32 strings (20+ chars)
- Entropy range: 3.6 - 4.0
- Detection: KEY record type usage, base32 character set
Cobalt Strike DNS Beacon
- Encoding: Hex-encoded metadata
- Record types: A, AAAA, TXT
- Subdomain pattern: Short hex strings (8-20 chars)
- Entropy range: 3.2 - 4.0
- Detection: Regular beacon intervals (default 60s), A-record check-ins followed by TXT downloads
Sliver DNS C2
- Encoding: Base32/custom
- Record types: A, TXT
- Subdomain pattern: Alphanumeric strings (30+ chars)
- Entropy range: 3.5 - 4.2
- Detection: High subdomain length variance, mixed record types
DGA Feature Extraction
| Feature | Description | DGA Indicator |
|---|---|---|
| Shannon entropy | Bits per character of domain label | > 3.5 |
| Label length | Character count of domain (excl. TLD) | > 15 unusual |
| Consonant ratio | Consonants / total alphabetic chars | > 0.7 |
| Digit ratio | Digits / total characters | > 0.3 |
| Vowel-consonant ratio | Vowels / consonants | < 0.3 |
| Bigram frequency score | Average English bigram match frequency | < 0.002 |
| Hex character ratio | Hex chars / total chars | > 0.8 |
| Max consecutive consonants | Longest consonant run | > 4 |
| Unique character ratio | Unique chars / total chars | < 0.4 |
| Has dictionary words | Whether label contains English words | No = DGA indicator |
Beaconing Detection Parameters
| Parameter | Typical Threshold | Description |
|---|---|---|
| Interval regularity | Jitter < 10% of mean interval | Low variance indicates automated beaconing |
| Min queries | > 50 queries to same domain | Sufficient data for statistical analysis |
| Time span | > 1 hour | Beacon must persist across time |
| Consistent query size | Std dev < 5 bytes | Tunnel payloads have consistent sizes |
| Night-time activity | Queries during 00:00-06:00 | Unusual for legitimate user browsing |
| Single source | 1-3 source IPs per domain | C2 typically from compromised host only |
Zeek DNS Log Fields
| Field | Type | Forensic Use |
|---|---|---|
| ts | time | Query timestamp |
| uid | string | Connection UID |
| id.orig_h | addr | Source IP (compromised host) |
| id.resp_h | addr | DNS resolver IP |
| query | string | Full queried domain name |
| qtype_name | string | Query type (A, TXT, NULL, CNAME) |
| rcode_name | string | Response code (NOERROR, NXDOMAIN) |
| answers | vector | Response records |
| TTLs | vector | TTL values for answers |
| rejected | bool | Whether query was rejected |
Suricata EVE DNS Fields
| Field | Type | Forensic Use |
|---|---|---|
| timestamp | string | Event timestamp (ISO 8601) |
| src_ip | string | Source IP |
| dest_ip | string | Destination IP (resolver) |
| dns.type | string | "query" or "answer" |
| dns.rrname | string | Queried domain name |
| dns.rrtype | string | Record type |
| dns.rcode | string | Response code |
| dns.answers | array | Response answer records |
| dns.tx_id | int | Transaction ID |
Suricata Rules for DNS C2
# Detect high-entropy DNS queries (potential tunneling)
alert dns any any -> any any (msg:"ET DNS Potential DNS Tunneling - High Entropy Query"; dns.query; pcre:"/^[a-z0-9]{30,}\./i"; threshold:type threshold, track by_src, count 10, seconds 60; sid:9000001; rev:1;)
# Detect TXT record queries to unusual domains
alert dns any any -> any any (msg:"ET DNS Suspicious TXT Record Query Volume"; dns.query; dns_query; content:"|00 10|"; threshold:type threshold, track by_src, count 20, seconds 60; sid:9000002; rev:1;)
# Detect NULL record queries (Iodine indicator)
alert dns any any -> any any (msg:"ET DNS NULL Record Query - Possible Iodine Tunnel"; dns.query; content:"|00 0a|"; threshold:type threshold, track by_src, count 5, seconds 60; sid:9000003; rev:1;)Splunk SPL Queries
# High-entropy DNS subdomain detection
index=dns sourcetype=zeek_dns
| eval subdomain=mvindex(split(query,"."),0)
| eval sub_len=len(subdomain)
| where sub_len > 20
| eval entropy=0
| stats count dc(query) as unique_queries avg(sub_len) as avg_len by src_ip query_type
| where count > 50 AND avg_len > 25
# DNS beaconing detection via standard deviation
index=dns sourcetype=zeek_dns
| sort 0 _time
| streamstats current=f last(_time) as prev_time by src_ip query
| eval interval=_time - prev_time
| stats count avg(interval) as avg_interval stdev(interval) as stdev_interval by src_ip query
| where count > 50 AND stdev_interval < (avg_interval * 0.1)
| table src_ip query count avg_interval stdev_intervalPython API - Key Functions
# Shannon entropy calculation
import math
from collections import Counter
def shannon_entropy(data):
counter = Counter(data)
length = len(data)
return -sum((c / length) * math.log2(c / length) for c in counter.values())
# DGA feature extraction
def extract_features(domain):
return {
"length": len(domain),
"entropy": shannon_entropy(domain),
"digit_ratio": sum(c.isdigit() for c in domain) / len(domain),
"consonant_ratio": sum(c in "bcdfghjklmnpqrstvwxyz" for c in domain.lower()) / max(sum(c.isalpha() for c in domain), 1),
}References
- Zeek DNS logging: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html
- Suricata DNS rules: https://docs.suricata.io/en/latest/rules/dns-keywords.html
- Iodine DNS tunnel: https://github.com/yarrick/iodine
- dnscat2: https://github.com/iagox86/dnscat2
- dns2tcp: https://github.com/alex-sector/dns2tcp
- Cobalt Strike DNS beacon: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/listener-setup_dns-beacon.htm
- SANS DNS tunneling detection: https://www.sans.org/white-papers/34152/
- MITRE T1071.004: https://attack.mitre.org/techniques/T1071/004/
- MITRE T1568.002: https://attack.mitre.org/techniques/T1568/002/
Scripts 1
agent.py39.7 KB
#!/usr/bin/env python3
"""
DNS C2 Detection Agent
Comprehensive detection pipeline for command-and-control communications over DNS.
Combines Shannon entropy analysis, DNS beaconing detection, DGA classification,
TXT record payload inspection, and known tool signature matching.
Usage:
python agent.py --dns-log /path/to/dns.log --format zeek
python agent.py --dns-log /path/to/eve.json --format suricata
python agent.py --dns-log /path/to/queries.csv --format csv
python agent.py --mode train-dga --legit-domains legit.txt --dga-domains dga.txt
python agent.py --mode entropy --dns-log dns.log --format zeek
Requirements:
pip install numpy scikit-learn tldextract
"""
import argparse
import base64
import csv
import json
import math
import os
import re
import sys
from collections import Counter, defaultdict
from datetime import datetime, timedelta
from pathlib import Path
import numpy as np
try:
import tldextract
HAS_TLDEXTRACT = True
except ImportError:
HAS_TLDEXTRACT = False
try:
from sklearn.ensemble import RandomForestClassifier, GradientBoostingClassifier
from sklearn.model_selection import train_test_split, cross_val_score
from sklearn.metrics import classification_report, confusion_matrix
from sklearn.preprocessing import StandardScaler
import pickle
HAS_SKLEARN = True
except ImportError:
HAS_SKLEARN = False
# ---------------------------------------------------------------------------
# Constants
# ---------------------------------------------------------------------------
VOWELS = set("aeiou")
CONSONANTS = set("bcdfghjklmnpqrstvwxyz")
HEX_CHARS = set("0123456789abcdef")
BASE32_CHARS = set("abcdefghijklmnopqrstuvwxyz234567")
# English bigram frequencies (top 40, from Peter Norvig's analysis)
ENGLISH_BIGRAMS = {
"th": 0.0356, "he": 0.0307, "in": 0.0243, "er": 0.0205,
"an": 0.0199, "re": 0.0185, "on": 0.0176, "at": 0.0149,
"en": 0.0145, "nd": 0.0135, "ti": 0.0134, "es": 0.0134,
"or": 0.0128, "te": 0.0120, "of": 0.0117, "ed": 0.0117,
"is": 0.0113, "it": 0.0112, "al": 0.0109, "ar": 0.0107,
"st": 0.0105, "to": 0.0104, "nt": 0.0104, "ng": 0.0095,
"se": 0.0093, "ha": 0.0093, "as": 0.0087, "ou": 0.0087,
"io": 0.0083, "le": 0.0083, "ve": 0.0083, "co": 0.0079,
"me": 0.0079, "de": 0.0076, "hi": 0.0076, "ri": 0.0073,
"ro": 0.0073, "ic": 0.0070, "ne": 0.0069, "ea": 0.0069,
}
# Known tunneling tool signatures
TOOL_SIGNATURES = {
"iodine": {
"pattern": re.compile(r"^[a-z0-9]{50,}\.", re.IGNORECASE),
"qtypes": {"NULL", "TXT", "CNAME", "MX", "A"},
"entropy_range": (3.8, 4.2),
"description": "Iodine DNS tunnel - IPv4 over DNS",
},
"dnscat2": {
"pattern": re.compile(r"^(dnscat\.)|^[a-f0-9]{16,}\.", re.IGNORECASE),
"qtypes": {"TXT", "CNAME", "MX", "A"},
"entropy_range": (3.5, 4.5),
"description": "dnscat2 encrypted C2 channel",
},
"dns2tcp": {
"pattern": re.compile(r"^[a-z2-7]{20,}\.", re.IGNORECASE),
"qtypes": {"TXT", "KEY"},
"entropy_range": (3.6, 4.0),
"description": "dns2tcp TCP-over-DNS tunnel",
},
"cobalt_strike_dns": {
"pattern": re.compile(r"^[a-f0-9]{8,20}\.", re.IGNORECASE),
"qtypes": {"A", "AAAA", "TXT"},
"entropy_range": (3.2, 4.0),
"description": "Cobalt Strike DNS beacon",
},
"sliver_dns": {
"pattern": re.compile(r"^[a-z0-9]{30,}\.", re.IGNORECASE),
"qtypes": {"A", "TXT"},
"entropy_range": (3.5, 4.2),
"description": "Sliver C2 DNS implant",
},
}
# Common legitimate high-entropy domains to whitelist
WHITELIST_PATTERNS = [
re.compile(r".*\.in-addr\.arpa$"),
re.compile(r".*\.ip6\.arpa$"),
re.compile(r".*\._domainkey\..*"),
re.compile(r".*\._dmarc\..*"),
re.compile(r".*\._spf\..*"),
re.compile(r".*\.akadns\.net$"),
re.compile(r".*\.akamaiedge\.net$"),
re.compile(r".*\.cloudfront\.net$"),
re.compile(r".*\.googleapis\.com$"),
re.compile(r".*\.windows\.net$"),
re.compile(r".*\.azure-dns\..*"),
re.compile(r".*\.1e100\.net$"),
]
# ---------------------------------------------------------------------------
# Core Functions
# ---------------------------------------------------------------------------
def shannon_entropy(data):
"""Calculate Shannon entropy of a string in bits per character."""
if not data:
return 0.0
counter = Counter(data)
length = len(data)
return -sum((c / length) * math.log2(c / length) for c in counter.values())
def extract_subdomain(fqdn):
"""Extract subdomain and base domain from FQDN."""
fqdn = fqdn.lower().rstrip(".")
if HAS_TLDEXTRACT:
ext = tldextract.extract(fqdn)
subdomain = ext.subdomain or ""
base = f"{ext.domain}.{ext.suffix}" if ext.suffix else ext.domain
return subdomain, base
else:
parts = fqdn.split(".")
if len(parts) > 2:
return ".".join(parts[:-2]), ".".join(parts[-2:])
return "", fqdn
def is_whitelisted(fqdn):
"""Check if domain matches a known-legitimate pattern."""
for pattern in WHITELIST_PATTERNS:
if pattern.match(fqdn.lower()):
return True
return False
def parse_timestamp(ts_str):
"""Parse various timestamp formats."""
formats = [
"%Y-%m-%dT%H:%M:%S.%fZ",
"%Y-%m-%dT%H:%M:%S.%f",
"%Y-%m-%dT%H:%M:%S",
"%Y-%m-%d %H:%M:%S.%f",
"%Y-%m-%d %H:%M:%S",
]
for fmt in formats:
try:
return datetime.strptime(ts_str, fmt)
except ValueError:
continue
try:
return datetime.utcfromtimestamp(float(ts_str))
except (ValueError, OverflowError, OSError):
return None
# ---------------------------------------------------------------------------
# Log Parsers
# ---------------------------------------------------------------------------
def parse_zeek_dns_log(filepath):
"""Parse Zeek dns.log (tab-separated format)."""
queries = []
with open(filepath, "r", encoding="utf-8", errors="replace") as f:
headers = None
for line in f:
line = line.strip()
if line.startswith("#fields"):
headers = line.split("\t")[1:]
continue
if line.startswith("#") or not line:
continue
fields = line.split("\t")
if headers and len(fields) >= len(headers):
record = dict(zip(headers, fields))
elif len(fields) >= 10:
record = {
"ts": fields[0],
"id.orig_h": fields[2],
"query": fields[9] if len(fields) > 9 else "",
"qtype_name": fields[13] if len(fields) > 13 else "",
"answers": fields[21] if len(fields) > 21 else "",
}
else:
continue
ts = record.get("ts", "")
src_ip = record.get("id.orig_h", "")
query = record.get("query", "")
qtype = record.get("qtype_name", record.get("qtype", ""))
answers = record.get("answers", "")
if query and query != "-":
queries.append({
"timestamp": ts,
"src_ip": src_ip,
"query": query,
"qtype": qtype,
"answers": answers,
})
return queries
def parse_suricata_eve(filepath):
"""Parse Suricata EVE JSON log for DNS events."""
queries = []
with open(filepath, "r", encoding="utf-8", errors="replace") as f:
for line in f:
line = line.strip()
if not line:
continue
try:
event = json.loads(line)
except json.JSONDecodeError:
continue
if event.get("event_type") != "dns":
continue
dns = event.get("dns", {})
query = dns.get("rrname", dns.get("query", ""))
qtype = dns.get("rrtype", dns.get("type", ""))
src_ip = event.get("src_ip", "")
ts = event.get("timestamp", "")
answers_list = dns.get("answers", [])
answers = ""
if isinstance(answers_list, list):
answers = ",".join(
a.get("rdata", "") for a in answers_list if isinstance(a, dict)
)
if query:
queries.append({
"timestamp": ts,
"src_ip": src_ip,
"query": query,
"qtype": str(qtype),
"answers": answers,
})
return queries
def parse_csv_dns(filepath):
"""Parse CSV DNS log with columns: timestamp, src_ip, query, qtype, answers."""
queries = []
with open(filepath, "r", encoding="utf-8", errors="replace") as f:
reader = csv.DictReader(f)
for row in reader:
query = row.get("query", row.get("domain", row.get("qname", "")))
if query:
queries.append({
"timestamp": row.get("timestamp", row.get("ts", "")),
"src_ip": row.get("src_ip", row.get("source", row.get("client_ip", ""))),
"query": query,
"qtype": row.get("qtype", row.get("type", row.get("qtype_name", ""))),
"answers": row.get("answers", row.get("answer", "")),
})
return queries
def load_dns_queries(filepath, fmt="zeek"):
"""Load DNS queries from log file."""
parsers = {
"zeek": parse_zeek_dns_log,
"suricata": parse_suricata_eve,
"csv": parse_csv_dns,
}
parser = parsers.get(fmt)
if not parser:
print(f"[ERROR] Unknown format '{fmt}'. Supported: {', '.join(parsers.keys())}")
return []
return parser(filepath)
# ---------------------------------------------------------------------------
# Entropy Analysis
# ---------------------------------------------------------------------------
def analyze_entropy(queries, entropy_threshold=3.5, length_threshold=30):
"""Analyze DNS queries for tunneling indicators via entropy and subdomain length."""
results = []
for q in queries:
fqdn = q.get("query", "").lower().rstrip(".")
if not fqdn or is_whitelisted(fqdn):
continue
subdomain, base_domain = extract_subdomain(fqdn)
if not subdomain:
continue
flat = subdomain.replace(".", "")
if not flat:
continue
entropy = shannon_entropy(flat)
length = len(flat)
label_count = subdomain.count(".") + 1
score = 0.0
flags = []
# Entropy scoring
if entropy > 4.0:
score += (entropy - 3.5) * 30
flags.append(f"very_high_entropy:{entropy:.2f}")
elif entropy > entropy_threshold:
score += (entropy - entropy_threshold) * 25
flags.append(f"high_entropy:{entropy:.2f}")
# Length scoring
if length > 50:
score += (length - 30) * 0.8
flags.append(f"very_long_subdomain:{length}")
elif length > length_threshold:
score += (length - length_threshold) * 0.5
flags.append(f"long_subdomain:{length}")
# Label count
if label_count > 5:
score += label_count * 3
flags.append(f"many_labels:{label_count}")
# Encoding detection
hex_ratio = sum(1 for c in flat if c in HEX_CHARS) / len(flat)
if hex_ratio > 0.85 and length > 20:
score += 20
flags.append("hex_encoded")
b32_ratio = sum(1 for c in flat if c in BASE32_CHARS) / len(flat)
if b32_ratio > 0.95 and length > 20 and hex_ratio <= 0.85:
score += 15
flags.append("base32_encoded")
# Tool signature matching
for tool_name, sig in TOOL_SIGNATURES.items():
if sig["pattern"].match(fqdn):
qtype = q.get("qtype", "").upper()
if not qtype or qtype in sig["qtypes"]:
ent_low, ent_high = sig["entropy_range"]
if ent_low <= entropy <= ent_high or entropy > ent_high:
score += 25
flags.append(f"tool_sig:{tool_name}")
break
if flags:
results.append({
"fqdn": fqdn,
"subdomain": subdomain,
"base_domain": base_domain,
"entropy": round(entropy, 4),
"subdomain_length": length,
"label_count": label_count,
"score": round(score, 2),
"flags": flags,
"src_ip": q.get("src_ip", ""),
"timestamp": q.get("timestamp", ""),
"qtype": q.get("qtype", ""),
})
results.sort(key=lambda x: x["score"], reverse=True)
return results
# ---------------------------------------------------------------------------
# Beaconing Detection
# ---------------------------------------------------------------------------
def detect_beaconing(queries, min_queries=10, max_jitter_pct=25,
min_interval=10, max_interval=7200):
"""Detect periodic DNS beaconing patterns."""
groups = defaultdict(list)
for q in queries:
src_ip = q.get("src_ip", "")
fqdn = q.get("query", "").lower().rstrip(".")
ts = parse_timestamp(q.get("timestamp", ""))
if not ts or not src_ip or not fqdn:
continue
_, base_domain = extract_subdomain(fqdn)
if is_whitelisted(fqdn):
continue
groups[(src_ip, base_domain)].append(ts)
beacons = []
for (src_ip, base_domain), timestamps in groups.items():
if len(timestamps) < min_queries:
continue
timestamps.sort()
intervals = np.array([
(timestamps[i+1] - timestamps[i]).total_seconds()
for i in range(len(timestamps) - 1)
])
# Remove zero/negative intervals
intervals = intervals[intervals > 0]
if len(intervals) < min_queries - 1:
continue
mean_int = float(np.mean(intervals))
std_int = float(np.std(intervals))
median_int = float(np.median(intervals))
if mean_int < min_interval or mean_int > max_interval:
continue
cv = (std_int / mean_int * 100) if mean_int > 0 else 100
if cv > max_jitter_pct:
continue
time_span = (timestamps[-1] - timestamps[0]).total_seconds()
hours = time_span / 3600
score = 0.0
flags = []
if cv < 5:
score += 40
flags.append(f"very_low_jitter:CV={cv:.1f}%")
elif cv < 15:
score += 30
flags.append(f"low_jitter:CV={cv:.1f}%")
else:
score += 15
flags.append(f"moderate_jitter:CV={cv:.1f}%")
if hours > 24:
score += 20
flags.append(f"persistent:{hours:.1f}h")
elif hours > 4:
score += 10
flags.append(f"sustained:{hours:.1f}h")
if len(timestamps) > 100:
score += 15
flags.append(f"high_volume:{len(timestamps)}")
elif len(timestamps) > 50:
score += 10
common_intervals = [60, 120, 300, 600, 900, 1800, 3600]
for ci in common_intervals:
if abs(mean_int - ci) < ci * 0.1:
score += 10
flags.append(f"common_c2_interval:~{ci}s")
break
beacons.append({
"src_ip": src_ip,
"base_domain": base_domain,
"query_count": len(timestamps),
"mean_interval": round(mean_int, 2),
"median_interval": round(median_int, 2),
"std_interval": round(std_int, 2),
"jitter_cv": round(cv, 2),
"first_seen": timestamps[0].isoformat(),
"last_seen": timestamps[-1].isoformat(),
"duration_hours": round(hours, 2),
"score": round(score, 1),
"flags": flags,
})
beacons.sort(key=lambda x: x["score"], reverse=True)
return beacons
# ---------------------------------------------------------------------------
# TXT Record Analysis
# ---------------------------------------------------------------------------
def analyze_txt_records(queries):
"""Analyze TXT record queries and responses for C2 payload indicators."""
findings = []
# Filter TXT queries
txt_queries = [
q for q in queries
if q.get("qtype", "").upper() in ("TXT", "16")
]
if not txt_queries:
return findings
# Group by base domain
domain_groups = defaultdict(list)
for q in txt_queries:
fqdn = q.get("query", "").lower().rstrip(".")
if is_whitelisted(fqdn):
continue
_, base_domain = extract_subdomain(fqdn)
domain_groups[base_domain].append(q)
for base_domain, group in domain_groups.items():
count = len(group)
src_ips = set(q.get("src_ip", "") for q in group)
indicators = []
# Volume anomaly
if count > 50:
indicators.append({
"type": "high_txt_volume",
"detail": f"{count} TXT queries to {base_domain}",
"severity": "high",
})
elif count > 20:
indicators.append({
"type": "elevated_txt_volume",
"detail": f"{count} TXT queries to {base_domain}",
"severity": "medium",
})
# Check answer content
for q in group:
answer = q.get("answers", "")
if not answer or answer == "-":
continue
# Large TXT response
if len(answer) > 500:
indicators.append({
"type": "oversized_txt_response",
"detail": f"TXT response length: {len(answer)}",
"severity": "high",
})
# High entropy in response
ent = shannon_entropy(answer)
if ent > 4.5 and len(answer) > 100:
indicators.append({
"type": "high_entropy_txt",
"detail": f"TXT response entropy: {ent:.3f}",
"severity": "high",
})
# Base64 pattern in response
b64_pattern = re.compile(r'[A-Za-z0-9+/]{40,}={0,2}')
if b64_pattern.search(answer):
indicators.append({
"type": "base64_in_txt",
"detail": "Base64-encoded content in TXT response",
"severity": "high",
})
# Try to decode and check for executable
try:
match = b64_pattern.search(answer)
decoded = base64.b64decode(match.group())
if decoded[:2] == b'MZ':
indicators.append({
"type": "pe_in_txt",
"detail": "PE executable found in decoded TXT response",
"severity": "critical",
})
if decoded[:4] == b'\x7fELF':
indicators.append({
"type": "elf_in_txt",
"detail": "ELF executable found in decoded TXT response",
"severity": "critical",
})
decoded_str = decoded.decode("utf-8", errors="ignore")
ps_patterns = [
r"Invoke-Expression", r"IEX\s*\(", r"DownloadString",
r"FromBase64String", r"New-Object\s+System\.Net",
]
for pat in ps_patterns:
if re.search(pat, decoded_str, re.IGNORECASE):
indicators.append({
"type": "powershell_stager_in_txt",
"detail": f"PowerShell pattern in decoded TXT: {pat}",
"severity": "critical",
})
break
except Exception:
pass
if indicators:
findings.append({
"base_domain": base_domain,
"txt_query_count": count,
"source_ips": sorted(src_ips),
"indicators": indicators,
"max_severity": max(
(i["severity"] for i in indicators),
key=lambda s: {"critical": 4, "high": 3, "medium": 2, "low": 1}.get(s, 0)
),
"sample_queries": [q["query"] for q in group[:5]],
})
findings.sort(
key=lambda x: {"critical": 4, "high": 3, "medium": 2, "low": 1}.get(
x["max_severity"], 0),
reverse=True,
)
return findings
# ---------------------------------------------------------------------------
# DGA Classification
# ---------------------------------------------------------------------------
DGA_FEATURE_COLUMNS = [
"length", "entropy", "digit_ratio", "vowel_ratio", "consonant_ratio",
"max_consonant_run", "distinct_chars", "distinct_ratio",
"english_bigram_score", "label_count", "hex_ratio",
"transition_ratio", "repeat_ratio", "special_count",
]
def extract_domain_features(domain):
"""Extract numerical features from a domain for DGA classification."""
domain = domain.lower().strip(".")
parts = domain.split(".")
analysis_str = ".".join(parts[:-1]) if len(parts) > 1 else domain
flat = analysis_str.replace(".", "")
length = len(flat)
if length == 0:
return None
entropy = shannon_entropy(flat)
digit_count = sum(1 for c in flat if c.isdigit())
vowel_count = sum(1 for c in flat if c in VOWELS)
consonant_count = sum(1 for c in flat if c in CONSONANTS)
max_consonant_run = 0
current_run = 0
for c in flat:
if c in CONSONANTS:
current_run += 1
max_consonant_run = max(max_consonant_run, current_run)
else:
current_run = 0
distinct_chars = len(set(flat))
bigrams = [flat[i:i+2] for i in range(len(flat) - 1)]
english_score = (
sum(ENGLISH_BIGRAMS.get(bg, 0) for bg in bigrams) / len(bigrams)
if bigrams else 0
)
hex_ratio = sum(1 for c in flat if c in HEX_CHARS) / length
transitions = sum(
1 for i in range(1, len(flat))
if flat[i].isdigit() != flat[i-1].isdigit()
)
repeats = sum(1 for i in range(1, len(flat)) if flat[i] == flat[i-1]) if length > 1 else 0
return {
"domain": domain,
"length": length,
"entropy": round(entropy, 4),
"digit_ratio": round(digit_count / length, 4),
"vowel_ratio": round(vowel_count / length, 4),
"consonant_ratio": round(consonant_count / length, 4),
"max_consonant_run": max_consonant_run,
"distinct_chars": distinct_chars,
"distinct_ratio": round(distinct_chars / length, 4),
"english_bigram_score": round(english_score, 6),
"label_count": len(parts),
"hex_ratio": round(hex_ratio, 4),
"transition_ratio": round(transitions / max(length - 1, 1), 4),
"repeat_ratio": round(repeats / max(length - 1, 1), 4),
"special_count": sum(1 for c in flat if c == '-'),
}
def features_to_vector(features):
"""Convert feature dict to numpy array."""
return np.array([features[col] for col in DGA_FEATURE_COLUMNS])
def train_dga_model(legit_domains, dga_domains, model_type="random_forest",
output_model=None):
"""Train and evaluate a DGA classification model."""
if not HAS_SKLEARN:
print("[ERROR] scikit-learn required: pip install scikit-learn")
return None, None, None
print(f"[*] Extracting features from {len(legit_domains)} legitimate "
f"and {len(dga_domains)} DGA domains...")
X_legit = [features_to_vector(f) for d in legit_domains
if (f := extract_domain_features(d)) is not None]
X_dga = [features_to_vector(f) for d in dga_domains
if (f := extract_domain_features(d)) is not None]
if len(X_legit) < 100 or len(X_dga) < 100:
print(f"[ERROR] Insufficient data: {len(X_legit)} legit, {len(X_dga)} DGA")
return None, None, None
print(f" Features extracted: {len(X_legit)} legit, {len(X_dga)} DGA")
X = np.vstack([np.array(X_legit), np.array(X_dga)])
y = np.array([0] * len(X_legit) + [1] * len(X_dga))
scaler = StandardScaler()
X_scaled = scaler.fit_transform(X)
X_train, X_test, y_train, y_test = train_test_split(
X_scaled, y, test_size=0.2, random_state=42, stratify=y
)
if model_type == "gradient_boosting":
model = GradientBoostingClassifier(
n_estimators=200, max_depth=6, learning_rate=0.1,
min_samples_split=10, random_state=42,
)
else:
model = RandomForestClassifier(
n_estimators=200, max_depth=15, min_samples_split=5,
random_state=42, n_jobs=-1,
)
print(f"[*] Training {model_type} classifier...")
model.fit(X_train, y_train)
y_pred = model.predict(X_test)
report = classification_report(y_test, y_pred, target_names=["legitimate", "dga"],
output_dict=True)
cm = confusion_matrix(y_test, y_pred)
cv_scores = cross_val_score(model, X_scaled, y, cv=5, scoring="f1")
metrics = {
"model_type": model_type,
"train_size": len(X_train),
"test_size": len(X_test),
"accuracy": round(report["accuracy"], 4),
"dga_precision": round(report["dga"]["precision"], 4),
"dga_recall": round(report["dga"]["recall"], 4),
"dga_f1": round(report["dga"]["f1-score"], 4),
"legit_precision": round(report["legitimate"]["precision"], 4),
"legit_recall": round(report["legitimate"]["recall"], 4),
"confusion_matrix": cm.tolist(),
"cv_f1_mean": round(float(cv_scores.mean()), 4),
"cv_f1_std": round(float(cv_scores.std()), 4),
"feature_importance": {
k: round(float(v), 4)
for k, v in zip(DGA_FEATURE_COLUMNS, model.feature_importances_)
},
}
print(f"[+] Model trained successfully")
print(f" Accuracy: {metrics['accuracy']}")
print(f" DGA F1: {metrics['dga_f1']}")
print(f" DGA Recall: {metrics['dga_recall']}")
print(f" CV F1 (5-fold): {metrics['cv_f1_mean']} +/- {metrics['cv_f1_std']}")
top_feats = sorted(metrics["feature_importance"].items(),
key=lambda x: x[1], reverse=True)[:5]
print(f" Top features: {', '.join(f'{k}={v:.3f}' for k, v in top_feats)}")
if output_model:
with open(output_model, "wb") as f:
pickle.dump({"model": model, "scaler": scaler, "metrics": metrics}, f)
print(f"[+] Model saved to {output_model}")
return model, scaler, metrics
def classify_domains_dga(domains, model, scaler, threshold=0.65):
"""Classify domains as DGA or legitimate."""
results = []
for domain in domains:
feats = extract_domain_features(domain)
if feats is None:
continue
vec = features_to_vector(feats).reshape(1, -1)
vec_scaled = scaler.transform(vec)
prob = model.predict_proba(vec_scaled)[0]
if prob[1] >= threshold:
results.append({
"domain": domain,
"prediction": "dga" if prob[1] >= 0.5 else "legitimate",
"dga_probability": round(float(prob[1]), 4),
"confidence": "high" if prob[1] > 0.85 else "medium",
"entropy": feats["entropy"],
"length": feats["length"],
})
results.sort(key=lambda x: x["dga_probability"], reverse=True)
return results
# ---------------------------------------------------------------------------
# Reporting
# ---------------------------------------------------------------------------
def print_report(entropy_results, beacons, txt_findings, dga_results,
total_queries, unique_domains):
"""Print unified DNS C2 detection report."""
print("=" * 80)
print(" DNS C2 DETECTION ANALYSIS REPORT")
print("=" * 80)
print(f" Generated: {datetime.utcnow().isoformat()}Z")
print(f" Total Queries: {total_queries:,}")
print(f" Unique Domains: {unique_domains:,}")
print()
# Entropy section
print(" ENTROPY ANALYSIS")
print(" " + "-" * 76)
print(f" Suspicious queries: {len(entropy_results)}")
if entropy_results:
# Group by base domain
domain_agg = defaultdict(lambda: {"count": 0, "max_ent": 0, "max_score": 0, "ips": set()})
for r in entropy_results:
bd = r["base_domain"]
domain_agg[bd]["count"] += 1
domain_agg[bd]["max_ent"] = max(domain_agg[bd]["max_ent"], r["entropy"])
domain_agg[bd]["max_score"] = max(domain_agg[bd]["max_score"], r["score"])
domain_agg[bd]["ips"].add(r["src_ip"])
sorted_domains = sorted(domain_agg.items(), key=lambda x: x[1]["max_score"], reverse=True)
for domain, data in sorted_domains[:10]:
severity = "CRITICAL" if data["max_score"] > 60 else "HIGH" if data["max_score"] > 30 else "MEDIUM"
print(f"\n [{severity}] {domain}")
print(f" Suspicious queries: {data['count']} Max entropy: {data['max_ent']:.3f}")
print(f" Source IPs: {', '.join(sorted(data['ips']))}")
# Show tool signature if matched
for r in entropy_results:
if r["base_domain"] == domain:
tool_flags = [f for f in r["flags"] if f.startswith("tool_sig:")]
if tool_flags:
print(f" Tool match: {tool_flags[0].split(':')[1]}")
break
print()
# Beaconing section
print(" BEACONING DETECTION")
print(" " + "-" * 76)
print(f" Beacon patterns: {len(beacons)}")
for b in beacons[:10]:
severity = "CRITICAL" if b["score"] > 70 else "HIGH" if b["score"] > 50 else "MEDIUM"
print(f"\n [{severity}] {b['src_ip']} -> {b['base_domain']}")
print(f" Score: {b['score']} Queries: {b['query_count']} "
f"Interval: {b['mean_interval']:.1f}s +/- {b['std_interval']:.1f}s")
print(f" Jitter: {b['jitter_cv']:.1f}% Duration: {b['duration_hours']:.1f}h")
print(f" Flags: {', '.join(b['flags'])}")
print()
# TXT record section
print(" TXT RECORD ANALYSIS")
print(" " + "-" * 76)
print(f" Suspicious TXT patterns: {len(txt_findings)}")
for finding in txt_findings[:10]:
print(f"\n [{finding['max_severity'].upper()}] {finding['base_domain']}")
print(f" TXT queries: {finding['txt_query_count']} "
f"Sources: {', '.join(finding['source_ips'][:3])}")
for ind in finding["indicators"][:3]:
print(f" - {ind['type']}: {ind['detail']}")
print()
# DGA section
if dga_results:
print(" DGA CLASSIFICATION")
print(" " + "-" * 76)
high_conf = [r for r in dga_results if r["confidence"] == "high"]
med_conf = [r for r in dga_results if r["confidence"] == "medium"]
print(f" High confidence DGA: {len(high_conf)}")
print(f" Medium confidence: {len(med_conf)}")
for r in dga_results[:15]:
print(f" [{r['confidence'].upper()}] {r['domain']} "
f"(prob: {r['dga_probability']:.3f}, ent: {r['entropy']:.2f})")
print()
# Recommendations
print(" RECOMMENDED ACTIONS")
print(" " + "-" * 76)
action_num = 1
critical_domains = set()
for r in entropy_results:
if r["score"] > 60:
critical_domains.add(r["base_domain"])
for b in beacons:
if b["score"] > 70:
critical_domains.add(b["base_domain"])
for f in txt_findings:
if f["max_severity"] == "critical":
critical_domains.add(f["base_domain"])
if critical_domains:
print(f" {action_num}. [CRITICAL] Block in DNS RPZ/firewall: "
f"{', '.join(sorted(critical_domains)[:5])}")
action_num += 1
critical_ips = set()
for r in entropy_results[:5]:
if r["score"] > 60 and r["src_ip"]:
critical_ips.add(r["src_ip"])
for b in beacons[:5]:
if b["score"] > 70:
critical_ips.add(b["src_ip"])
if critical_ips:
print(f" {action_num}. [CRITICAL] Isolate and investigate hosts: "
f"{', '.join(sorted(critical_ips)[:5])}")
action_num += 1
if dga_results:
high_dga = [r["domain"] for r in dga_results if r["confidence"] == "high"]
if high_dga:
print(f" {action_num}. [HIGH] Block {len(high_dga)} high-confidence DGA domains")
action_num += 1
if txt_findings:
print(f" {action_num}. [HIGH] Review {len(txt_findings)} domains with suspicious TXT activity")
action_num += 1
print(f" {action_num}. [MEDIUM] Deploy Zeek/Suricata DNS tunneling signatures")
print()
# ---------------------------------------------------------------------------
# Main
# ---------------------------------------------------------------------------
def main():
parser = argparse.ArgumentParser(
description="DNS C2 Detection Agent - Tunneling, DGA, Beaconing, TXT Payload Analysis"
)
parser.add_argument("--dns-log", help="Path to DNS log file")
parser.add_argument("--format", choices=["zeek", "suricata", "csv"],
default="zeek", help="DNS log format")
parser.add_argument("--mode", choices=["full", "entropy", "beacon", "txt",
"dga-classify", "train-dga"],
default="full", help="Analysis mode")
# Thresholds
parser.add_argument("--entropy-threshold", type=float, default=3.5,
help="Shannon entropy threshold for suspicious queries")
parser.add_argument("--length-threshold", type=int, default=30,
help="Subdomain length threshold")
parser.add_argument("--beacon-min-queries", type=int, default=10,
help="Minimum queries for beacon detection")
parser.add_argument("--beacon-max-jitter", type=float, default=25,
help="Maximum jitter CV%% for beacon detection")
parser.add_argument("--dga-threshold", type=float, default=0.65,
help="DGA probability threshold for reporting")
# DGA training
parser.add_argument("--legit-domains", help="File with legitimate domains (one per line)")
parser.add_argument("--dga-domains", help="File with DGA domains (one per line)")
parser.add_argument("--model-type", choices=["random_forest", "gradient_boosting"],
default="random_forest", help="ML model type for DGA")
parser.add_argument("--dga-model", help="Path to saved DGA model (pickle)")
# Output
parser.add_argument("--output", default="dns_c2_report.json",
help="Output path for JSON report")
parser.add_argument("--output-model", default="dga_model.pkl",
help="Output path for trained DGA model")
args = parser.parse_args()
print("[*] DNS C2 Detection Agent")
print(f" Mode: {args.mode}")
print()
# DGA training mode
if args.mode == "train-dga":
if not args.legit_domains or not args.dga_domains:
print("[ERROR] --legit-domains and --dga-domains required for training")
sys.exit(1)
with open(args.legit_domains) as f:
legit = [line.strip() for line in f if line.strip()]
with open(args.dga_domains) as f:
dga = [line.strip() for line in f if line.strip()]
print(f"[*] Loaded {len(legit)} legitimate and {len(dga)} DGA domains")
model, scaler, metrics = train_dga_model(
legit, dga, args.model_type, args.output_model
)
if metrics:
with open(args.output, "w") as f:
json.dump(metrics, f, indent=2)
print(f"[+] Metrics saved to {args.output}")
return
# Analysis modes require DNS log
if not args.dns_log:
print("[ERROR] --dns-log required for analysis")
sys.exit(1)
print(f"[*] Loading DNS queries from {args.dns_log} (format: {args.format})...")
queries = load_dns_queries(args.dns_log, args.format)
print(f" Loaded {len(queries):,} queries")
if not queries:
print("[ERROR] No queries loaded. Check file path and format.")
sys.exit(1)
unique_domains = len(set(q.get("query", "") for q in queries))
print(f" Unique domains: {unique_domains:,}")
print()
entropy_results = []
beacons = []
txt_findings = []
dga_results = []
# Entropy analysis
if args.mode in ("full", "entropy"):
print("[*] Running entropy analysis...")
entropy_results = analyze_entropy(
queries, args.entropy_threshold, args.length_threshold
)
print(f" Suspicious queries: {len(entropy_results)}")
# Beaconing detection
if args.mode in ("full", "beacon"):
print("[*] Running beacon detection...")
beacons = detect_beaconing(
queries, args.beacon_min_queries, args.beacon_max_jitter
)
print(f" Beacon patterns: {len(beacons)}")
# TXT record analysis
if args.mode in ("full", "txt"):
print("[*] Running TXT record analysis...")
txt_findings = analyze_txt_records(queries)
print(f" Suspicious TXT patterns: {len(txt_findings)}")
# DGA classification
if args.mode in ("full", "dga-classify"):
model = None
scaler = None
if args.dga_model and os.path.exists(args.dga_model):
print(f"[*] Loading DGA model from {args.dga_model}...")
with open(args.dga_model, "rb") as f:
saved = pickle.load(f)
model = saved["model"]
scaler = saved["scaler"]
elif HAS_SKLEARN:
print("[*] No DGA model provided, using feature-based heuristic scoring")
else:
print("[WARN] scikit-learn not available, skipping DGA classification")
if model and scaler:
domains = list(set(q.get("query", "").lower().rstrip(".")
for q in queries if q.get("query")))
print(f"[*] Classifying {len(domains)} unique domains...")
dga_results = classify_domains_dga(domains, model, scaler, args.dga_threshold)
print(f" DGA candidates: {len(dga_results)}")
print()
# Print report
print_report(entropy_results, beacons, txt_findings, dga_results,
len(queries), unique_domains)
# Save JSON report
report = {
"generated_at": datetime.utcnow().isoformat() + "Z",
"total_queries": len(queries),
"unique_domains": unique_domains,
"entropy_analysis": {
"threshold": args.entropy_threshold,
"suspicious_count": len(entropy_results),
"results": entropy_results[:100],
},
"beaconing": {
"min_queries": args.beacon_min_queries,
"max_jitter_pct": args.beacon_max_jitter,
"patterns_detected": len(beacons),
"results": beacons[:50],
},
"txt_analysis": {
"suspicious_count": len(txt_findings),
"results": txt_findings[:50],
},
"dga_classification": {
"threshold": args.dga_threshold,
"candidates": len(dga_results),
"results": dga_results[:100],
},
}
with open(args.output, "w", encoding="utf-8") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output}")
print("[*] Done.")
if __name__ == "__main__":
main()