Rules: Hexadecimal in DNS Query Domain

Description

Encoding in hexadecimal is a way that attackers can bypass network security devices that are inspecting traffic. While hexadecimal often appears in subdomains, it much less frequent in domains.

Additional Details

Detail	Value
Type	Match
Category	Exfiltration
Apply Risk to Entities	srcDevice_ip, user_username, device_hostname, device_ip
Signal Name	Hexadecimal in DNS Query Domain
Summary Expression	Hexadecimal encoding detected in DNS query domain: {{dns_queryDomain_rootDomain}}
Score/Severity	Static: 4
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0010, _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1132, _mitreAttackTechnique:T1132.001

Vendors and Products

Amazon AWS - Application Load Balancer
Amazon AWS - Route53
Bro - Bro
Cisco Systems - Umbrella
Cloudflare - Logpush
CrowdStrike - FDR
Fortinet - Fortigate
Google - Google Cloud Platform
Infoblox - Network Identity Operating System
Microsoft - DNS
Microsoft - Windows
Netskope - Security Cloud
Sophos - UTM 9
Zscaler - Firewall
Zscaler - Nanolog Streaming Service

Fields Used

Origin	Field
Normalized Schema	device_hostname
Normalized Schema	device_ip
Normalized Schema	dns_queryDomain_alexaRank
Normalized Schema	dns_queryDomain_rootDomain
Normalized Schema	dns_queryType
Normalized Schema	listMatches
Normalized Schema	srcDevice_ip
Normalized Schema	user_username

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LEGACY-S00027.md

LEGACY-S00027.md

Rules: Hexadecimal in DNS Query Domain

Description

Additional Details

Vendors and Products

Fields Used

Files

LEGACY-S00027.md

Latest commit

History

LEGACY-S00027.md

File metadata and controls

Rules: Hexadecimal in DNS Query Domain

Description

Additional Details

Vendors and Products

Fields Used