Last Updated: 2017-11-16 08:27:01 UTC
by Xavier Mertens (Version: 1)
Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page dedicated to domain names. But how can we detect potentially malicious DNS activity if domains are not (yet) present in a blocklist? The typical case is DGA’s of Domain Generation Algorithm used by some malware families.
I have a dashboard that helps me to keep track on the DNS activity on networks under my control. Here is a screenshot:
The dashboard contains the following searches:
“DNS Requests by Type”
This timeline represents the DNS traffic based on the queries (“A”, “AAAA”, “NS”, etc). A peak of “TXT” queries may indicate some data ex-filtration or DNS tunnelling ongoing.
“Top 20 Rare TLD’s”
With the explosion of new TLD’s (Top Level Domains), we see that some of them are mainly used by bad guys. Usually, the domain registration process is easy (free) or registrars protect the domain owner’s privacy. TLD’s are extracted from the queries via a regex (the string after the last ‘.’ character). The top-20 is sorted by the number of occurrences found.
“Very Long Domain Names”
In this case, the string before the last dot is extracted and its size checked. DGA or kill switch domain use very long random strings (do you remember the Wannacry case?
This search returns DNS queries that use a “suspicious” TLD’s based on a blocklist that I maintain. Some examples:
.pw .top .ga .cn .ru .co .ml
index=securityonion sourcetype=bro_dns [|getmispioc last=5d type=domain |rename value as qclass |fields qclass ] | rename qclass as Domain | stats count as Hits by Domain
To generate this dashboard, I’m using bro_dns logs indexed in a Splunk instance but there is nothing specific to this setup and the dashboard can be easily deployed on another system like an ELK stack.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant