Analytics Story: Suspicious DNS Traffic

Description

Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.

Why it matters

Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.

Detections

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	crowdstrike:events:sensor	crowdstrike
Sysmon EventID 1	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688	Windows	XmlWinEventLog	XmlWinEventLog:Security
Sysmon EventID 22	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 5136	Windows	XmlWinEventLog	XmlWinEventLog:Security
Windows Event Log Security 5137	Windows	XmlWinEventLog	XmlWinEventLog:Security
Windows Event Log Security 4662	Windows	XmlWinEventLog	XmlWinEventLog:Security
Suricata	Other	suricata	not_applicable

References

• https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454
• http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/
• http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680

Source: GitHub | Version: 2