Esc
DNS - T1071.004
(ATT&CK® Technique)
Definition
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1071004["DNS"] --> |produces| OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"]; class T1071004 OffensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic";
click T1071004 href "/offensive-technique/attack/T1071.004/"; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic"; T1071004["DNS"] --> |may-transfer| CertificateFile["Certificate File"]; class T1071004 OffensiveTechniqueNode;
class CertificateFile ArtifactNode; click CertificateFile href "/dao/artifact/d3f:CertificateFile";
click T1071004 href "/offensive-technique/attack/T1071.004/"; click CertificateFile href "/dao/artifact/d3f:CertificateFile"; T1071004["DNS"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1071004 OffensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";
click T1071004 href "/offensive-technique/attack/T1071.004/"; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic"; DNSTrafficAnalysis["DNS Traffic Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSTrafficAnalysis["DNS Traffic Analysis"] -.->
| may-detect | T1071004["DNS"] ;
class DNSTrafficAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSTrafficAnalysis href "/technique/d3f:DNSTrafficAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1071004["DNS"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; DecoyFile["Decoy File"] -->
| spoofs | CertificateFile["Certificate File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1071004["DNS"] ;
class DecoyFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1071004["DNS"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1071004["DNS"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1071004["DNS"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1071004["DNS"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; CertificateAnalysis["Certificate Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
CertificateAnalysis["Certificate Analysis"] -.->
| may-detect | T1071004["DNS"] ;
class CertificateAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click CertificateAnalysis href "/technique/d3f:CertificateAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1071004["DNS"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1071004["DNS"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1071004["DNS"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; DNSAllowlisting["DNS Allowlisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSAllowlisting["DNS Allowlisting"] -.->
| may-isolate | T1071004["DNS"] ;
class DNSAllowlisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSAllowlisting href "/technique/d3f:DNSAllowlisting"; FileEviction["File Eviction"] -->
| deletes | CertificateFile["Certificate File"];
FileEviction["File Eviction"] -.->
| may-evict | T1071004["DNS"] ;
class FileEviction DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | CertificateFile["Certificate File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1071004["DNS"] ;
class FileEncryption DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1071004["DNS"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; DNSDenylisting["DNS Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSDenylisting["DNS Denylisting"] -.->
| may-isolate | T1071004["DNS"] ;
class DNSDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSDenylisting href "/technique/d3f:DNSDenylisting"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CertificateFile["Certificate File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1071004["DNS"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | CertificateFile["Certificate File"];
RestoreFile["Restore File"] -.->
| may-restore | T1071004["DNS"] ;
class RestoreFile DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -.->
| may-isolate | T1071004["DNS"] ;
class ReverseResolutionIPDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ReverseResolutionIPDenylisting href "/technique/d3f:ReverseResolutionIPDenylisting"; ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -.->
| may-isolate | T1071004["DNS"] ;
class ForwardResolutionDomainDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ForwardResolutionDomainDenylisting href "/technique/d3f:ForwardResolutionDomainDenylisting"; FileAnalysis["File Analysis"] -->
| analyzes | CertificateFile["Certificate File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1071004["DNS"] ;
class FileAnalysis DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CertificateFile["Certificate File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1071004["DNS"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1071004["DNS"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CertificateFile["Certificate File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1071004["DNS"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CertificateFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";