fbpx
preloader

DNS traffic monitoring for malicious activity

DNS traffic on port 53, is not suspicious on itself.

But we can conclude that only dns servers should communicate outside to different dns servers in a closed environment.
In an open environment we will be looking for malicious dns url’s.
Endpoint pc’s, users computers do not need to communicate directly with outside dns queries on port 53.

This kind of traffic could indicate a suspicious computer which is infected with malware.

There are malware which replaces the host list on end point server or computer, to enable infected machine to communicate with CNC .

Infected machine can transfer malicious traffic using SMTP or downloading harmful files.

We have options to monitor this kind of traffic :

1. Using Traffic analysis like firewall , generating a  report or rule which looks for traffic on port 53 to the outside world .
 

2. Advanced users can activate dns debug mode , the information will be saved in a simple log file or txt .

The file should be monitored for any change and send the information to siem server.
Using regular expression we will make the data to be more into something more understandable like imap.gmail.com than imap (1) gmail (0) com (0).

Using those methods we can determine enterprise machines which are trying to communicate to unapproved or suspicious urls.

DNS server debugging configuration looks like this:

 

Once you configured the data is written  in c:\windows\system32\dns\dns.log you know that it’s working. The output looks like this:

 Server 2012 supports Better dns logging
 https://technet.microsoft.com/en-us/library/dn800669.aspx

Example of how dns logging is looking on Windows server 2012 :

 

Using dns logging and IBM QRadar

Configure dns debugging and enable according to above.
Monitor %systemroot%/system32/dns/dns.log using agent like ALE or Wincollect .
Any update on logging should be sent to QRadar SIEM.
The log is incoming in unusable way  example: imap (1) gmail (0) com (0).
There is no possible way to use the Custom properties regular expression to substitute (0) to a dot.
Meaning we can’t compare google.com with google(0)com(1).

To solve this problem we can use LSX template to parse and substitute  (0) with a dot.
we cant use custom properties on LSX template and must use one of the sixteen standard fields , I have used username as a filed which is easy to compare .

Download DSM link here.

Next step:

Use threat Intelligence application or Qradar API to update a reference list with malicious urls.
Build a BB\ rule to monitor dns logs and compare with reference list.
Alert when triggered .

Windows Server 2012

Simple, configuring dns logging , log the data to an a event viewer , monitor  %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl.

Send the data to Qradar siem, configure universal dsm .
Log the data and parse accordingly, use custom properties with regular expression.
Use threat Intelligence application or Qradar API to update a reference list with malicious urls.
Build a BB\ rule to monitor dns logs and compare with reference list.
Alert when triggered .

if you have any problems you are welcome to mail us.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

FortiOS Flaw Exploited as Zero-Day in Attacks

On December 12, Fortinet reported on a heap-based buffer overflow...

תגובה לאירועי אבטחה – Incident Response

לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at [email protected]...

1 2 3 6

Join our newsletter!

x
c
o
n
t
a
c
t

u
s
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram