![]() Packet Size & Volume DistributionĮvents that have significant packet size and high volumes may identify signs of exfiltration activity. Using Splunk to search historical data helps to identify when a host was initially compromised and where it has been communicating with since. Spotting changes in behaviour early is a great way to reduce the impact of a compromised host. This search could be used in conjunction with the previous search by including a client IP of interest to help follow our hypothesis. However, don’t be blind-sided into just these two resource types!Ĭontinuing to keep things steady for a start, we again begin with the same dataset and use the timechart command to visualise the record type field over time in one-hour slices. Both A records and TXT records should be observed carefully as these are common techniques. Requests by Resource Record Over TimeĬhanges in resource type behaviour for a client may point toward potential C&C or exfiltration activity. The first line returns the result set we are interested in, followed by the timechart command to visualise requests over time in one-hour time slices.Ĭlients with an unnecessary number of events compared with the rest of the organisation may help to identify data transfers using DNS. We begin with a simple search that helps us detect changes over time. | timechart span=1h limit=10 usenull=f useother=f count AS Requests by src Top 10 Clients by Volume of RequestsĬapturing spikes or changes in client volumes may show early signs of data exfiltration. In the section below, I will show you some ways to detect weirdness with DNS based on the techniques highlighted above. These are adversary techniques we can craft searches for in Splunk using commands like stats, timechart, table, stdev, avg, streamstats. Substitution of domains to very slightly altered domains (typo-squatting).Variability in the frequency of requests (Beaconing activity to C&C).Variance in the length of the request (indicating DGA or encoded/obfuscated data stream).Change in the type of resource records we see (e.g., TXT records from hosts that don’t typically send them).Increase in volume of requests by the client (indicating C&C or data movement).For example, if your hosts are compromised they may show changes in DNS behaviour like: There are many questions you can use to support your hypotheses. If you want to follow along at home and are in need of some sample data, then consider looking at the “ Splunk Security Dataset Project.” All of the searches below were tested on the BOTSv1 data. If that's the case, let me tell you that Windows DNS debug logging, Bro DNS and Splunk’s Stream can all be excellent sources of data. If the work of my esteemed colleagues just isn’t your bag, then I’m sure they won’t take it personally.much. conf2015 presentation, " Hunting the Known Unknowns (with DNS)," then read it-it's a treasure trove of information. If you're already sucking DNS data into Splunk, that's awesome! However, if you’re not and you haven't seen Ryan Kovar and Steve Brant's. With the right visualizations and search techniques, you may be able to spot clients behaving abnormally when compared either to themselves or their peers! Where Do We Find the Data? You could hypothesize that the adversary might use DNS to move sensitive files out of your organisation or use it as a side channel for communications with malicious infrastructure. Since you've been an avid reader of "Hunting with Splunk: The Basics" series, you all know that good hunting starts with a hypothesis or two. It doesn’t take long before the beardy dude or cyber lady says, “Yeah.they used DNS to control compromised hosts and then exfiltrated your data.” As you reflect on this event, you think, “Did I even have a chance against that kind attack?”Yes, you did because Splunk can be used to detect and respond to DNS exfiltration. ![]() Oh no! You’ve been hacked, and you have experts onsite to identify the terrible things done to your organization. Derek deals up some oldies but goodies, shows some awesome visualizations, and then brings some new slaying techniques to the adversary battle. I've been using Splunk and DNS data to find badness in networks since 2011 and I continually find new methods and approaches. Derek King, our security brother from England, has chosen to write on a subject near and dear to my heart-DNS. This blog post is part fifteen of the " Hunting with Splunk: The Basics" series.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |