Stats
Actions
Tags
From cybersec-toolkit
Analyzes Zeek dns.log to detect DNS-based data exfiltration using Shannon entropy, long subdomain labels, unique subdomain counts, and query volume anomalies.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:detecting-exfiltration-over-dns-with-zeekThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
DNS tunneling and exfiltration is a technique used by attackers to bypass firewalls and DLP controls by encoding stolen data into DNS query subdomains. Legitimate DNS queries have predictable entropy and length patterns, while exfiltration queries contain encoded data with high Shannon entropy, unusually long subdomain labels, and high volumes of unique subdomains per parent domain.
DNS tunneling and exfiltration is a technique used by attackers to bypass firewalls and DLP controls by encoding stolen data into DNS query subdomains. Legitimate DNS queries have predictable entropy and length patterns, while exfiltration queries contain encoded data with high Shannon entropy, unusually long subdomain labels, and high volumes of unique subdomains per parent domain.
This skill analyzes Zeek dns.log files (TSV format) to detect exfiltration indicators. The agent computes Shannon entropy for each subdomain component, identifies queries exceeding the 63-character DNS label limit, counts unique subdomains per parent domain, and flags domains that exceed configurable thresholds. These techniques detect tools like dnscat2, iodine, dns2tcp, and custom DNS tunneling implementations.
Parse Zeek dns.log headers: Read the TSV file, extract the #fields header line to identify column positions for ts, id.orig_h, query, qtype_name, rcode_name, and answers.
Extract and decompose queries: For each DNS query, split the FQDN into subdomain labels and parent domain. Skip queries to known safe domains and internal zones.
Compute Shannon entropy: Calculate the information entropy of each subdomain label. Legitimate subdomains typically have entropy below 3.5, while encoded/encrypted data produces entropy above 4.0.
Detect long labels: Flag DNS labels exceeding 52 characters (approaching the 63-character maximum). Long labels are a strong indicator of data tunneling.
Count unique subdomains per domain: Track how many distinct subdomains each parent domain receives. Domains with more than 50 unique subdomains within the log window are suspicious.
Identify query volume anomalies: Calculate queries-per-minute per source IP per domain. Exfiltration tools generate sustained high-volume query streams that differ from normal browsing.
Score and rank domains: Combine entropy, label length, uniqueness count, and query volume into a composite risk score. Rank domains by score and output the top suspicious domains.
Generate detection report: Produce a JSON report with flagged domains, their evidence indicators, originating source IPs, and recommended response actions.
{
"analysis_summary": {
"total_queries_analyzed": 145832,
"unique_domains": 3421,
"flagged_domains": 3,
"entropy_threshold": 3.5
},
"flagged_domains": [
{
"domain": "data.evil-c2.com",
"unique_subdomains": 892,
"avg_entropy": 4.72,
"max_label_length": 61,
"source_ips": ["10.0.1.45"],
"risk_score": 9.4,
"indicators": ["high_entropy", "long_labels", "high_subdomain_count"]
}
]
}
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitAnalyzes Zeek dns.log to detect DNS-based data exfiltration using Shannon entropy, long subdomain labels, unique subdomain counts, and query volume anomalies.
Detects DNS-based data exfiltration in Zeek dns.log files by analyzing high-entropy subdomains, long labels, unique subdomain counts, and query volume anomalies. For threat hunting and incident response.
Analyzes Zeek dns.log files to detect DNS data exfiltration via high-entropy subdomains, long labels, unique subdomain counts per domain, and query rate anomalies. For network threat hunting.