Communications use DNS

Hunt Hypothesis

Adversaries may use DNS communications to exfiltrate data or establish command and control channels, which is a common tactic in malware operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert network activity and mitigate advanced threats.

YARA Rule

rule network_dns {
    meta:
        author = "x0r"
        description = "Communications use DNS"
	version = "0.1"
    strings:
        $f1 = "System.Net"
        $f2 = "Ws2_32.dll" nocase
        $f3 = "Dnsapi.dll" nocase
        $f4 = "wsock32.dll" nocase
        $c2 = "GetHostEntry"
	    $c3 = "getaddrinfo"
	    $c4 = "gethostbyname"
	    $c5 = "WSAAsyncGetHostByName"
	    $c6 = "DnsQuery"
    condition:
        1 of ($f*) and  1 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system updates via a patch management tool (e.g., Microsoft SCCM or WSUS)
  Filter/Exclusion: Exclude DNS queries to known update servers (e.g., update.microsoft.com, download.microsoft.com) or filter by source IP of the patch management server.

• Scenario: DNS-based load balancing or traffic routing using DNS (e.g., using nslookup or dig for internal DNS resolution)
  Filter/Exclusion: Exclude DNS queries originating from internal DNS servers or from known internal tools (e.g., nslookup, dig, or host commands run by administrators).

• Scenario: Automated backup jobs using DNS for service discovery (e.g., using DNS SRV records for database connections)
  Filter/Exclusion: Exclude DNS queries related to internal services (e.g., ._msdcs, ._tcp, or ._udp records) or filter by source IP of the backup server.

• Scenario: Administrative tasks using DNS for troubleshooting (e.g., using ping, tracert, or nslookup to diagnose network issues)
  Filter/Exclusion: Exclude DNS queries from known admin workstations or user accounts with elevated privileges (e.g., admin, root, or svc-account).

• Scenario: DNS-based monitoring tools or network scanners (e.g., nmap, dnsenum, or dnswalk)
  Filter/Exclusion: Exclude DNS queries from known monitoring tools or IP ranges used by network security teams (e.g., 10.0.0.0/8, 192.168.0.0/16).