I'm interested in getting feedback from the community on what tactics you're using to monitor DNS exfiltration and/or potential DNS based C2.
Only using packet decoders, but we leverage black lists to monitor for C2 lookups and have built a passive DNS profile in events view. Working on a fast flux ESA rule that'll look for domains hopping across different ASNs, but still working on the logic for it.
Is there any chance Netwitness will come out with a DGA detection parser? There's one that generates a meta value of 'consecutive consonants' but a parser that examines A queries, normalizes the alias.host value in the query, and then calculates an adjusted entropy score would be huge.
Michael Pochan Could you post the Passive DNS events view column group either her or in another post. that would be helpful to others I'm sure (at least as a starting point)
Here's our passive DNS view, which has several benefits (ip.src/dst redacted). First, this replicates most of what would normally be stored in the BIND query logs. The volume of query logs normally generated is so high that they become difficult to ingest in normal SIEMs. With this, we can track which client (internal or external) queried our resolvers for a specific domain. It also helps us track which domains resolved to which IPs at a certain date/time. The app rule for this is simple:
service = 53 && alias.host exists && alias.ip exists
Image showing the column groupings is at the bottom.
Michael, I like the idea about looking for the resolved IP across different ASNs vs. just looking for multiple IPs for a given hostname in a specific timeframe. If you'd like to talk about this more let me know.
No other current capabilities other than the 'consecutive consonants', and nothing officially on the roadmap w/DGA detection currently, but I've captured the feedback so it doesn't get lost.
Hi Michael P,
Check my post DGA Detection
I started some work on creating an entropy calculator for the ESA.
Thanks! I'll definitely check this out. It's exactly what we were looking for.
Sometimes the simple things work well. I often use some charts in a dashboard to show DNS activity. More than once I have found active malware beaconing and server misconfigurations using these charts.
The charts below show DNS lookup activity for 1 domain growing in volume over time. It was a palevo C2 server.
What are the rules you used for these charts?
The rules for these charts rely on the DNS_verbose LUA parser.
select error where service = 53
select alias.host where (service = 53 && error='no name')
select alias.host where service = 53
select ip.dst where service=53
select ip.src where service=53
the DGA ones where based on a threat feed (which i think may have been deprecated)
select alias.host where threat.desc = 'c2-domain-dga'
select ip.src where threat.desc = 'c2-domain-dga'
Thank you. this is helpful.
I'm have some app rules for regex based alias.host matches, whitelisting well known domains, looking at "large" session sizes/payloads.
I'm working on a dashboard right now as well. We have issues using DNS logs as our DNS servers only log new (non-cached) queries.
I also have problems with capturing all DNS traffic across the environment since our DNS servers are deep in our core and I'd have to collect all core traffic to process it. We're not currently scaled to handle that. At this time I just get the outbound DNS across the boundary (no "true" source IP, source is the DNS server).
I'm hoping to use the entropy function mentioned on here before within ESA to add more context to the outbound DNS data we have, will probably be better than simple regexes for consecutive consonants.
Michael Pochan - Also cool idea about potentially using ASN's to detect fast flux. I'll have to look into that.
Thanks everyone for your feedback here!
Retrieving data ...