Description:

Use this Splunk search to find Base64 encoded content in DNS queries. The goal is to examine the DNS query field of the dns events to find subdomain streams that contain only Base64 valid characters.

Utilizing DNS queries with encoded information is a known method to exfiltrate data. But you do not know if the work is being initiated by malware on the asset of an innocent user, or as an insider threat

The query can result in false positive matches if the subdomain contains a number of characters divisible by 4, and contains only alphanumeric characters. A visual inspection of the search results by an analyst will be required.

Change the search to your own data sourcetype for dns. E.G. stream:dns or infoblox:dns.

sourcetype="dns" (message_type=RESPONSE OR message_type=TXT) | rex field=query "(?<subdomain>.*?)\..*" | regex subdomain="^(([A-Za-z0-9+/]{4})+)$|^([A-Za-z0-9+/]{4})+(([A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=)|([A-Za-z0-9+/][AQgw]==)).*$" | stats count by subdomain