detecting-exfiltration-over-dns-with-zeek

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns

mukul975/Anthropic-Cybersecurity-Skills|Updated May 25, 2026

Works with

Claude CodeCursorClineWindsurfCodex

Installation Guide

Select your AI agent

How to use detecting-exfiltration-over-dns-with-zeek on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your machine
›Node.js 16+ with npm — verify with node --version
›Active project directory where you want to add detecting-exfiltration-over-dns-with-zeek

Run the install command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/detecting-exfiltration-over-dns-with-zeek

Fetches detecting-exfiltration-over-dns-with-zeek from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

Select Cursor when prompted

The CLI shows a list of agents. Use arrow keys and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ────────────────

│ · Cline · Codex · Goose · Windsurf

│ ●Cursor(selected)

│ · Cursor · Aider · Continue

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/detecting-exfiltration-over-dns-with-zeek

Restart Cursor to activate detecting-exfiltration-over-dns-with-zeek. Access via /detecting-exfiltration-over-dns-with-zeek in your agent's command palette.

⚠

Security Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.

›View source on GitHub ›Skills CLI docs ›About Cursor ›What are agent skills?

Documentation

List & Monetize Your Skill

Submit your Claude Code skill and start earning

Get started →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

✓

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

✓

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

✓

Improve work quality by 30-40% with less effort

Overview

DNS tunneling and exfiltration is a technique used by attackers to bypass firewalls and DLP controls by encoding stolen data into DNS query subdomains. Legitimate DNS queries have predictable entropy and length patterns, while exfiltration queries contain encoded data with high Shannon entropy, unusually long subdomain labels, and high volumes of unique subdomains per parent domain.

This skill analyzes Zeek dns.log files (TSV format) to detect exfiltration indicators. The agent computes Shannon entropy for each subdomain component, identifies queries exceeding the 63-character DNS label limit, counts unique subdomains per parent domain, and flags domains that exceed configurable thresholds. These techniques detect tools like dnscat2, iodine, dns2tcp, and custom DNS tunneling implementations.

When to Use

When investigating security incidents that require detecting exfiltration over dns with zeek

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Steps

Parse Zeek dns.log headers: Read the TSV file, extract the #fields header line to identify column positions for ts, id.orig_h, query, qtype_name, rcode_name, and answers.

Extract and decompose queries: For each DNS query, split the FQDN into subdomain labels and parent domain. Skip queries to known safe domains and internal zones.

Compute Shannon entropy: Calculate the information entropy of each subdomain label. Legitimate subdomains typically have entropy below 3.5, while encoded/encrypted data produces entropy above 4.0.

Detect long labels: Flag DNS labels exceeding 52 characters (approaching the 63-character maximum). Long labels are a strong indicator of data tunneling.

Count unique subdomains per domain: Track how many distinct subdomains each parent domain receives. Domains with more than 50 unique subdomains within the log window are suspicious.

Identify query volume anomalies: Calculate queries-per-minute per source IP per domain. Exfiltration tools generate sustained high-volume query streams that differ from normal browsing.

Score and rank domains: Combine entropy, label length, uniqueness count, and query volume into a composite risk score. Rank domains by score and output the top suspicious domains.

Generate detection report: Produce a JSON report with flagged domains, their evidence indicators, originating source IPs, and recommended response actions.

Expected Output

{ "analysis_summary": { "total_queries_analyzed": 145832, "unique_domains": 3421, "flagged_domains": 3, "entropy_threshold": 3.5 }, "flagged_domains": [ { "domain": "data.evil-c2.com", "unique_subdomains": 892, "avg_entropy": 4.72, "max_label_length": 61, "source_ips": ["10.0.1.45"], "risk_score": 9.4, "indicators": ["high_entropy", "long_labels", "high_subdomain_count"] } ] }

name	detecting-exfiltration-over-dns-with-zeek
description	Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns
domain	cybersecurity
subdomain	network-security
tags	- dns-exfiltration - zeek - entropy-analysis - threat-hunting
version	'1.0'
author	mahipal
license	Apache-2.0
nist_csf	- PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02

detecting-exfiltration-over-dns-with-zeek

Installation Guide

How to use detecting-exfiltration-over-dns-with-zeek on Cursor

Prerequisites

Run the install command

Select Cursor when prompted

Verify installation

Security Notice

Documentation

List & Monetize Your Skill

Use Cases

Task Automation & Efficiency

Knowledge Enhancement

Quality Improvement

Install Skill

Detecting Exfiltration over DNS with Zeek

Overview

When to Use

Prerequisites

Steps

Expected Output

Implementation Guide

Best Practices

When to Use This

Learning Path

Related Skills

performing-cryptographic-audit-of-application

exploiting-deeplink-vulnerabilities

implementing-soar-playbook-with-palo-alto-xsoar

analyzing-network-traffic-with-wireshark

scanning-docker-images-with-trivy

generating-threat-intelligence-reports

Reviews

Discussion