Splunk - Hunting for threats in DNS

-

Understanding DNS exfiltration

When we talk about DNS exfiltration, we are talking about an attacker using the DNS protocol to tunnel (exfiltrate) data from the target to their own host. You could hypothesize that the adversary might use DNS to either:

  • Move sensitive files out of your organisation.
  • Use it as a side channel for communications with malicious infrastructure. 

With the right visualizations and search techniques, you may be able to spot clients behaving abnormally when compared either to themselves or their peers!

 Hunting for threats in DNS

In the section below, there are showed some ways to detect weirdness with DNS based on the techniques highlighted above.

NOTE: Adjust the sourcetypes/tags/eventtypes to suit your environment.

Top 10 Clients by Volume of Requests

Capturing spikes or changes in client volumes may show early signs of data exfiltration.

tag=dns message_type="Query" 
| timechart span=1h limit=10 usenull=f useother=f count AS Requests by src

We begin with a simple search that helps us detect changes over time. The first line returns the result set we are interested in, followed by the timechart command to visualise requests over time in one-hour time slices.


Clients with an unnecessary number of events compared with the rest of the organisation may help to identify data transfers using DNS.

Requests by Resource Record Over Time

Changes in resource type behaviour for a client may point toward potential C&C or exfiltration activity. Carefully observe both A records and TXT records, as these are common techniques. However, don’t be blind-sided into just these two resource types!

tag=dns message_type="QUERY"
| timechart span=1h count BY record_type

Continuing to keep things steady for a start, we again begin with the same dataset and use the timechart command to visualise the record type field over time in one-hour slices. This search could be used in conjunction with the previous search by including a client IP of interest to help follow our hypothesis.

Spotting changes in behaviour early is a great way to reduce the impact of a compromised host. Using Splunk to search historical data helps to identify when a host was initially compromised and where it has been communicating with since.

 

Reference link

 A.K

 

 

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more