What is DNS exfiltration?

DNS exfiltration is a cyberattack technique where data is stolen from a network by encoding it into DNS queries, which are often left unmonitored by traditional security controls.

What logs are required for this analysis?

This skill is designed to work with passive DNS logs, such as those generated by Zeek (dns.log), Suricata (EVE JSON), or raw PCAP files.

Can this be integrated into a SIEM?

Yes, the provided Python detection logic can be adapted into scripts or rules for SIEM platforms like Splunk, ELK, or Sentinel to automate real-time alerting.

How does this skill detect tunneling tools?

The skill analyzes DNS query metadata for anomalies like high character entropy, unusual subdomain lengths, and high frequencies of TXT or NULL record types common in tools like iodine and dnscat2.

DNS Exfiltration Detection

Name: DNS Exfiltration Detection
Author: mukul975

bymukul975

•

4,120

•

Seguridad y Pruebas

Analyzes DNS query patterns to detect and alert on covert data exfiltration and tunneling activities using statistical analysis.

This skill provides a comprehensive framework for identifying DNS exfiltration, a technique where attackers use the Domain Name System as a covert channel to bypass security controls and extract data. It guides users through analyzing DNS query entropy, subdomain lengths, and query volumes to identify tools like iodine and dnscat2. By leveraging passive DNS monitoring and Python-based statistical methods, this skill enables security teams to build robust detection rules, conduct threat hunting, and automate the identification of anomalous network traffic that traditional firewalls often miss.

Características Principales

01Calculates Shannon entropy for subdomain strings to identify encoded data payloads

02Analyzes query volume and unique subdomain ratios to detect tunneling behavior

03Detects common exfiltration tools including iodine, dnscat2, and Cobalt Strike

04Maps detection techniques to NIST CSF 2.0 and MITRE ATT&CK frameworks

054,120 GitHub stars

06Provides automated Python logic for processing Zeek and Suricata DNS logs

Casos de Uso

01Conducting forensic analysis of DNS traffic during security incident responses

02Building automated SIEM alerts for covert network channel detection

03Performing threat hunting exercises to find dormant C2 communication

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-dns-exfiltration-with-dns-query-analysis

For use in Claude.ai and ChatGPT

Características Principales

01Calculates Shannon entropy for subdomain strings to identify encoded data payloads

02Analyzes query volume and unique subdomain ratios to detect tunneling behavior

03Detects common exfiltration tools including iodine, dnscat2, and Cobalt Strike

04Maps detection techniques to NIST CSF 2.0 and MITRE ATT&CK frameworks

054,120 GitHub stars

06Provides automated Python logic for processing Zeek and Suricata DNS logs

Casos de Uso

01Conducting forensic analysis of DNS traffic during security incident responses

02Building automated SIEM alerts for covert network channel detection

03Performing threat hunting exercises to find dormant C2 communication

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-dns-exfiltration-with-dns-query-analysis

For use in Claude.ai and ChatGPT