Analytics Story: Host Redirection

Description

Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.

Why it matters

Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP
Windows hosts file modification None TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References


Source: GitHub | Version: 1