Ahmed Sonbol

Finding odd DNS TXT records in Security Analytics

Blog Post created by Ahmed Sonbol Employee on May 27, 2016

This week security researchers at Palo Alto Networks revealed a new targeted attack by the APT group Wekby against a US-based organization. Unit42 named the malware used by the group as pisloader based on its metadata. Most notably pisloader uses DNS requests to communicate with its command and control server. In this blog post we will discuss how to use RSA Security Analytics reports to help an analyst in finding odd DNS requests.


First, you need to start by creating a rule in SA. In this use case, we are interested in DNS requests for a TXT record:





The rule builder can be used to filter the result set or add more meta values to it if necessary. Next, you need to add the rule to a report and schedule it to run on a regular basis.




I chose to schedule a daily report that looks for DNS requests for a TXT record in the past 24 hours:




When RSA FirstWatch ran pisloader malware samples in its sandbox, the binaries started to beacon to their C2 servers. This is how the DNS requests look in the newly created report:





An analyst can go through the result set of the newly created report to rule out any false positives and dig deeper into more suspicious ones.