Analytics Story: Suspicious DNS Traffic

Description

Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.

Why it matters

Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Excessive DNS Failures DNS, Application Layer Protocol Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1