Friday, March 1, 2019

Cyber Threat Hunting in DNS Logs

DNS logs can provide valuable insight into the queries and responses from and to the endpoints to the network. Closely analysing the DNS logs can lead to detection of intrusion attempts. In the blog series, we will discuss about various hunting techniques that can be used in Splunk to detect potential out of normal events.

From ATT&CK perspective, following category techniques are applicable to the DNS logs
· Défense Evasion
· Persistence Mechanism
· Command and Control
· Exfiltration
· Credential Access (note: Technique T1171)

CTH - DNS requests to public IP online resolution web services

Malware once after successfully implants into the system will check for the host’s public IP address of the infected machine. Depending on the IP address and its location, the malware may decide to either operate in full or restrict its activities. Below is the Splunk query to look for outbound requests to known online resolution web services.
Splunk Query:-
index=<index_name> sourcetype="<sourcetype_name>" (query="*myip*" OR query="*ipchicken*" OR query="*ipinfo*" OR query="*ipaddr*" OR query="*meineip*" OR query="*meuip*" OR query="*hostip*" OR query="*iptools*" OR query="*ipid*" OR query="*portchecktool*" OR query="*portquiz*" OR query="*canyouseeme*") NOT (query="*")| iplocation dest | table _time record_type, src_ip, dest_ip, Country dest_port, query, answer** Depending on the field extractions, it will be useful to look for zoneName, response_time.

CTH – DNS requests to suspicious or less common Top-Level Domains (TLD) used within the network.
To monitor for uncommon or suspicious Top-level domains queried with in the DNS logs.
Splunk Query:
index=<index_name> sourcetype="<sourcetype_name>" (query="*.loan" OR query="*.gq" OR query="*.work" OR query="*.cf" OR query="*.ga" OR query="*.date" OR query="*.tokyo" OR query="*.ml" OR query="*.bid" OR query="*.gdn" OR query="*.country" OR query="*.stream" OR query="*.download" OR query="*.xin" OR query="*.mom" OR query="*.jetzt" OR query="*.vip" OR query="*.trade" OR query="*.review" OR query="*.date" OR query="*.wang") | eval ThreatMiner="ThreatMiner" | eval VirusTotal="VirusTotal" | table _time record_type, src_ip, query_ip, Country query_port, query, answer

CTH – DNS Packet Size and Volume Distribution
Events that have significant packet size and high volumes may identify signs of exfiltration activity.
Splunk Query:
index=<index_name> sourcetype="<sourcetype_name>" message_type="Query" | iplocation src | search NOT (Country="Australia" OR Country="United States") | mvexpand query| eval queryLength=len(query) | fillnull value="unknown" Country| stats count by queryLength, src, Country| sort -queryLength, count| table src Country queryLength count| head 1000

CTH – DNS – Beaconing Activity

Looking into clients that show signs of beaconing out to C&C infrastructure. Beaconing activity may occur when a compromised host ‘checks in’ with the command infrastructure, possibly waiting for new instructions or updates to the malicious software itself.
Splunk Query:
index=<index_name> sourcetype="<sourcetype_name>" message_type="Query" | iplocation src | search NOT (Country="Australia" OR Country="United States")| fields _time, query| streamstats current=f last(_time) as last_time by query| eval gap=last_time - _time| stats count avg(gap) AS AverageBeaconTime var(gap) AS VarianceBeaconTime BY query| eval AverageBeaconTime=round(AverageBeaconTime,3), VarianceBeaconTime=round(VarianceBeaconTime,3)| sort -count| where VarianceBeaconTime < 60 AND count > 2 AND AverageBeaconTime>1.000| table query VarianceBeaconTime count AverageBeaconTime

CTH – DNS Requests to long domain name
Long domain names are typical indicators to look into, there could be potential false positives that may need o be filtered out.
Splunk Query:
index=<index_name> sourcetype="<sourcetype_name>" | eval query_len=len(query) | iplocation query | table _time record_type, src_ip, query_ip, Country query_port, query, answer | where query_len>30

CTH – DNS - Domains with High Number of sub domains
Encoded information could be transmitted via the sub-domain. Looking at the number of different sub-domains per domain may help identify command and control activity or exfiltration of data.
Splunk Query:
index=<index_name> sourcetype="<sourcetype_name>" NOT (query="*microsoft*" OR query="*amazon*" OR query="*bing*" OR query="*skype*" OR query="*bbc*" OR query="*elasticsearch*"OR query="*yammer*" OR query="*nexus*" OR query="*google*" OR query="*facebook*" OR query="*office*" OR query="*ucas*" OR query="*salesforce*" OR query=** OR query="*" OR query="*" OR query="*") | rex field=query "(?P<AAA>.*?)\.(net|co\.uk|com|co|org|arpa)$" | rex field=AAA "\.?(?<rest>[^\.]*)$"| eval pos = if(length(rest) > 0, length(AAA) - length(rest), -1) | eval Host=substr(AAA,0,pos-1)| eval DomainName=substr(query,pos+1,len(query)) | stats dc(Host) AS HostsPerDomain BY DomainName | sort – HostsPerDomain


Following Github repository has the XML Splunk dashboard. Change the index and sourcetypes as required.