
Learn how to effectively investigate, contain and remediate this incident by following our
Response Playbook.
Threat actors continuously seek ways to bypass perimeter defenses, and the Domain Name System (DNS) provides the perfect camouflage. Because DNS protocols are the backbone of internet connectivity, organizations rarely restrict or deeply inspect its traffic. DNS Tunneling attacks directly exploit this inherent blind spot by weaponizing the protocol itself, covertly encapsulating malicious communications within seemingly normal DNS queries and responses.
Lumu continuously analyzes your network metadata for these covert behavioral patterns. Initially, suspicious DNS traffic may be flagged as an anomaly to assist your team with proactive threat hunting. However, the moment this activity displays the definitive, high-confidence traits of an active tunnel, Lumu automatically escalates it into a confirmed DNS Tunneling incident.
The detection of this incident empowers your response team by providing crucial visibility into two primary attack objectives:
- Data Exfiltration: Uncovers attempts to smuggle sensitive intellectual property or credentials out of your network. Attackers achieve this by encoding stolen data directly into the subdomain strings of outbound DNS queries, routing them to their own authoritative servers for decoding.
- Network Infiltration (Command and Control): Identifies threat actors actively pushing malicious payloads or commands into your environment to maintain persistent C2 sessions. By hijacking DNS response fields—specifically TXT records—adversaries can bypass traditional inbound firewall rules to establish reverse shells on compromised devices.
This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context to support the decision-making of your organization's response team.
Collected Data
The Lumu Portal captures specific metadata to facilitate forensic analysis and determine the severity of the covert communication. The data collected includes:
- DNS records: The malicious root domain and the specific Authoritative Servers receiving the tunneled queries.
- Affected endpoints: The specific internal devices generating the anomalous DNS traffic.
- Data transferred: The exact volume of data uploaded and downloaded during the connection.
Incident Details
The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:
1. Summary: This section provides the foundational timeline and operational metrics of the incident. It displays the Creation Date, First and Last Record, and the First Affected Endpoint to help you establish the exact window of the covert communication. Allowing you to correlate the tunneling timeframe with other potential network anomalies.
2. Tunneling Activity: This section aggregates the most relevant data regarding the covert channels and establishes a visual timeline to help you determine the severity of the compromise.
- Aggregated Metrics: Displays the total number of Affected Endpoints, the volume of DNS Records generated, and the total Data Transferred (broken down by Uploaded and Downloaded volume). This allows analysts to determine exactly how much organizational data has potentially been exfiltrated and how many malicious commands might have entered the network.
- Data Exfiltration Timeline: A graph displaying the data transferred over the incident's timeframe. Analysts can filter by specific endpoints and instantly see spikes in data uploads or downloads to map the attacker's activity.
- Endpoint Involved List: An expandable breakdown of the affected assets. It displays the timeframe of the infection, the endpoint name, its environment label, the specific data transferred by that machine, and the number of records it generated. This display of information can help you quickly assess the potential severity of the attack.
- Records Sample: Displays a snapshot of up to 20 raw DNS records associated with the endpoint. This information can be used to look for high variability in the subdomains, such as long, randomized strings. Because DNS tunneling relies on encoding data directly into the query itself, this constant variability provides visual confirmation that data is actively being encapsulated.
Incident Data Export
While the Lumu Portal displays the most critical data points visually, complex investigations—such as decoding the exfiltrated payloads—require full visibility. Lumu allows in-depth investigations with its Export Feature.
You can export data using the download button located at the top of the page (1) or using the button below the Summary section (2).
Exportable Data
You can export the following for this incident:
- All Records (.csv)
Downloads the complete, raw dataset of the entire incident lifecycle directly from the Tunneling Activity header. - Download endpoint activity (.csv)
Allows analysts to extract the specific DNS records and transfer metrics for a single, isolated endpoint to assist in targeted remediation and forensic decoding.