Splunk - Hunting for threats in DNS
Understanding DNS exfiltration
When we talk about DNS exfiltration, we are talking about an attacker using the DNS protocol to tunnel (exfiltrate) data from the target to their own host. You could hypothesize that the adversary might use DNS to either:
- Move sensitive files out of your organisation.
- Use it as a side channel for communications with malicious infrastructure.
With the right visualizations and search techniques, you may be able to spot clients behaving abnormally when compared either to themselves or their peers!
Hunting for threats in DNS
In the section below, there are showed some ways to detect weirdness with DNS based on the techniques highlighted above.
NOTE: Adjust the sourcetypes/tags/eventtypes to suit your environment.
Top 10 Clients by Volume of Requests
Capturing spikes or changes in client volumes may show early signs of data exfiltration.
tag=dns message_type="Query" | timechart span=1h limit=10 usenull=f useother=f count AS Requests by src
We begin with a simple search that helps us detect changes over time. The first line returns the result set we are interested in, followed by the timechart command to visualise requests over time in one-hour time slices.
Clients with an unnecessary number of events compared with the rest of the organisation may help to identify data transfers using DNS.
Requests by Resource Record Over Time
Changes in resource type behaviour for a client may point toward potential C&C or exfiltration activity. Carefully observe both A records and TXT records, as these are common techniques. However, don’t be blind-sided into just these two resource types!
tag=dns message_type="QUERY" | timechart span=1h count BY record_type
Continuing to keep things steady for a start, we again begin with the same dataset and use the timechart command to visualise the record type field over time in one-hour slices. This search could be used in conjunction with the previous search by including a client IP of interest to help follow our hypothesis.
Spotting changes in behaviour early is a great way to reduce the impact of a compromised host. Using Splunk to search historical data helps to identify when a host was initially compromised and where it has been communicating with since.
Reference link
A.K
Comments
Post a Comment