My next class:

Suspicious Domains Tracking Dashboard

Published: 2017-11-16. Last Updated: 2017-11-16 08:27:01 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page[1] dedicated to domain names. But how can we detect potentially malicious DNS activity if domains are not (yet) present in a blocklist? The typical case is DGA’s of Domain Generation Algorithm[2] used by some malware families.

I have a dashboard that helps me to keep track on the DNS activity on networks under my control. Here is a screenshot:

The dashboard contains the following searches:

“DNS Requests by Type”

This timeline represents the DNS traffic based on the queries (“A”, “AAAA”, “NS”, etc). A peak of “TXT” queries may indicate some data ex-filtration or DNS tunnelling ongoing.

“Top 20 Rare TLD’s”

With the explosion of new TLD’s (Top Level Domains), we see that some of them are mainly used by bad guys. Usually, the domain registration process is easy (free) or registrars protect the domain owner’s privacy. TLD’s are extracted from the queries via a regex (the string after the last ‘.’ character). The top-20 is sorted by the number of occurrences found.

“Very Long Domain Names”

In this case, the string before the last dot is extracted and its size checked. DGA or kill switch domain use very long random strings (do you remember the Wannacry[3] case?

“Suspicious TLD’s”

This search returns DNS queries that use a “suspicious” TLD’s based on a blocklist that I maintain. Some examples:

.pw
.top
.ga
.cn
.ru
.co
.ml

“Malicious Domains”

This search returns DNS queries that are reported as valid IOC’s from my MISP[4] instance. To achieve this, I’m using the Splunk custom search command ‘getmispioc’[5]:

index=securityonion sourcetype=bro_dns
[|getmispioc last=5d type=domain
|rename value as qclass
|fields qclass
]
| rename qclass as Domain
| stats count as Hits by Domain

To generate this dashboard, I’m using bro_dns logs indexed in a Splunk instance but there is nothing specific to this setup and the dashboard can be easily deployed on another system like an ELK stack.

Happy hunting!

[1] https://isc.sans.edu/suspicious_domains.html
[2] https://en.wikipedia.org/wiki/Domain_generation_algorithm
[3] http://securityaffairs.co/wordpress/59072/cyber-crime/wannacry-ransomware-kill-switch.html
[4] http://misp-project.org/
[5] https://blog.rootshell.be/2017/10/31/splunk-custom-search-command-searching-misp-iocs/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

5 comment(s)
My next class:

Comments

A timely post. I am currently tracking suspicious activity to domains in the .info TLD. These names are all of the form of 3 long, obscure English words. For example:

expeditertruffleluxury.info
daresroutinebroadcast.info
fetalhydrantembroider.info
jumblejockeyhurler.info

The domains were all registered on the same date, 2017-08-26. The domain resolutions all point to IP blocks in Hurricane Electric data centers.
See also OPENDNS' (now part of Cisco) NLP
https://umbrella.cisco.com/blog/2015/03/05/opendns-unveils-nlprank-a-new-model-for-advanced-threat-detection/

AND

NCC DOMAIN CHECKER
https://labs.nccgroup.trust/typofinder/
This is great - thank you, sir!

I don't suppose you might be willing to share the XML source for that dashboard?

Cheers.
Hi Xavier,
I would like to try and replicate this in my environment. Any chance that you would be willing to share your search and dashboard code?

Thanks!
Jon
I'd love to see a tutorial on how you set up your dashboard.

Diary Archives