Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended–potentially one that is part of an adversary’s attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Network_Resolution
- Last Updated: 2017-09-14
- Author: Rico Valdez, Splunk
- ID: 2e8948a5-5239-406b-b56b-6c50fe268af4
Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.
|Clients Connecting to Multiple DNS Servers||Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol||TTP|
|DNS Query Requests Resolved by Unauthorized DNS Servers||DNS||TTP|
|Windows hosts file modification||None||TTP|
source | version: 1