AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Splunk eval concatenate8/22/2023 Requests by Resource Record Over TimeĬhanges in resource type behaviour for a client may point toward potential C&C or exfiltration activity. The first line returns the result set we are interested in, followed by the timechart command to visualise requests over time in one-hour time slices.Ĭlients with an unnecessary number of events compared with the rest of the organisation may help to identify data transfers using DNS. We begin with a simple search that helps us detect changes over time. | timechart span=1h limit=10 usenull=f useother=f count AS Requests by src You may need to adjust the sourcetypes/tags/eventtypes to suit your environment! Top 10 Clients by Volume of RequestsĬapturing spikes or changes in client volumes may show early signs of data exfiltration. NOTE: As always, we write our searches to be common information model (CIM) compliant. In the section below, I will show you some ways to detect weirdness with DNS based on the techniques highlighted above. (Visit each commands’ Docs page for more specific information.) Hunting for threats in DNS These are adversary techniques we can craft searches for in Splunk using commands like stats, timechart, table, stdev, avg, streamstats. Substitution of domains to very slightly altered domains, as in typosquatting.Variability in the frequency of requests, such as beaconing activity to C&C.Variance in the length of the request, indicating DGA or encoded/obfuscated data stream.Change in the type of resource records we see, e.g., TXT records from hosts that don’t typically send them.Increase in volume of requests by the client, indicating command & control or data movement.For example, if your hosts are compromised they may show changes in DNS behaviour like: Signs you’re experiencing DNS exfiltrationĪre you a victim of DNS exfiltration? There are many questions you can use to support your hypotheses. ” Note* All of the searches below were tested on the BOTSv1 data found here. If you want to follow along at home and are in need of some sample data, then consider looking at the “ BOTS V3 dataset on GitHub”. If the work of my esteemed colleagues just isn’t your bag, then I’m sure they won’t take it personally.much.Įither way, let me tell you that these can all be excellent sources of data: conf presentation, Hunting the Known Unknowns (with DNS) then check it out - it's a treasure trove of information. If you're already sucking DNS data into Splunk, that's awesome! However, if you’re not and you haven't seen Ryan Kovar and Steve Brant's. With the right visualizations and search techniques, you may be able to spot clients behaving abnormally when compared either to themselves or their peers! Where do we find DNS data? Use it as a side channel for communications with malicious infrastructure.Move sensitive files out of your organisation.You could hypothesize that the adversary might use DNS to either: When we talk about DNS exfiltration, we are talking about an attacker using the DNS protocol to tunnel (exfiltrate) data from the target to their own host. We’ve updated it recently to maximize your value.) Understanding DNS exfiltration (This article is part of our Threat Hunting with Splunk series and was originally written by Derek King. So, let’s create a hypothesis! In this article, we’ll deal with the perennial topic of DNS exfiltration and we’ll show some awesome visualizations,hunting and slaying techniques. Since you've been an avid reader of Threat Hunting with Splunk: The Basics, you all know that good hunting starts with a hypothesis or two. In fact, people have been using DNS data and Splunk to find bad stuff in networks for nearly two decades! Yes, you did because Splunk can be used to detect and respond to DNS exfiltration. It doesn’t take long before the beardy dude or cyber lady says, “Yeah.they used DNS to control compromised hosts and then exfiltrated your data.”Īs you reflect on this event, you think, “Did I even have a chance against that kind of attack?” Oh no! You’ve been hacked, and you have experts onsite to identify the terrible things done to your organization.
0 Comments
Read More
Leave a Reply. |