Try in Splunk Security Cloud

Description

Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended–potentially one that is part of an adversary’s attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • Last Updated: 2017-09-14
  • Author: Rico Valdez, Splunk
  • ID: 2e8948a5-5239-406b-b56b-6c50fe268af4

Narrative

Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.

Detections

Name Technique Type
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol TTP
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP
Windows hosts file modification None TTP

Reference

source | version: 1