drop sysmon network evtx csv or dns cache export · detect covert channel communication patterns · identify dns tunneling icmp tunneling and protocol abuse · surface data exfiltration hidden in legitimate protocol traffic · runs locally
dns tunneling (>20 subdomains · entropy) · long hostnames · icmp anomalies · http beaconing · port knocking sequences
drop sysmon event 3 csv · dns cache export · firewall log