Analytics Story: Host Redirection

Date: 2017-09-14 ID: 2e8948a5-5239-406b-b56b-6c50fe268af4 Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.

Why it matters

Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Clients Connecting to Multiple DNS Servers	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
DNS Query Requests Resolved by Unauthorized DNS Servers	DNS	TTP
Windows hosts file modification	None	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/

Source: GitHub | Version: 1