DNS traffic monitoring for malicious activity

DNS traffic on port 53, is not suspicious on itself.

But we can conclude that only dns servers should communicate outside to different dns servers in a closed environment.
In an open environment we will be looking for malicious dns url’s.
Endpoint pc’s, users computers do not need to communicate directly with outside dns queries on port 53.

This kind of traffic could indicate a suspicious computer which is infected with malware.

There are malware which replaces the host list on end point server or computer, to enable infected machine to communicate with CNC .

Infected machine can transfer malicious traffic using SMTP or downloading harmful files.

We have options to monitor this kind of traffic :

1. Using Traffic analysis like firewall , generating a  report or rule which looks for traffic on port 53 to the outside world .
 

2. Advanced users can activate dns debug mode , the information will be saved in a simple log file or txt .

The file should be monitored for any change and send the information to siem server.
Using regular expression we will make the data to be more into something more understandable like imap.gmail.com than imap (1) gmail (0) com (0).

Using those methods we can determine enterprise machines which are trying to communicate to unapproved or suspicious urls.

DNS server debugging configuration looks like this:

 

Once you configured the data is written  in c:\windows\system32\dns\dns.log you know that it’s working. The output looks like this:

 Server 2012 supports Better dns logging
 https://technet.microsoft.com/en-us/library/dn800669.aspx

Example of how dns logging is looking on Windows server 2012 :

 

Using dns logging and Qradar

Configure dns debugging and enable according to above.
Monitor %systemroot%/system32/dns/dns.log using agent like ALE or Wincollect .
Any update on logging should be sent to Qradar siem.
The log is incoming in unusable way  example: imap (1) gmail (0) com (0).
There is no possible way to use the Custom properties regular expression to substitute (0) to a dot.
Meaning we can’t compare google.com with google(0)com(1).

To solve this problem we can use LSX template to parse and substitute  (0) with a dot.
we cant use custom properties on LSX template and must use one of the sixteen standard fields , I have used username as a filed which is easy to compare .

Download DSM link here.

Next step:

Use threat Intelligence application or Qradar API to update a reference list with malicious urls.
Build a BB\ rule to monitor dns logs and compare with reference list.
Alert when triggered .

Windows Server 2012

Simple, configuring dns logging , log the data to an a event viewer , monitor  %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl.

Send the data to Qradar siem  , configure universal dsm .
Log the data and parse accordingly, use custom properties with regular expression.
Use threat Intelligence application or Qradar API to update a reference list with malicious urls.
Build a BB\ rule to monitor dns logs and compare with reference list.
Alert when triggered .

if you have any problems you are welcome to mail me at: gregorin[@]qmasters.co.