forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsuspicious_dns_traffic.yml
30 lines (30 loc) · 1.56 KB
/
suspicious_dns_traffic.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: Suspicious DNS Traffic
id: 3c3835c0-255d-4f9e-ab84-e29ec9ec9b56
version: 1
date: '2017-09-18'
author: Rico Valdez, Splunk
description: Attackers often attempt to hide within or otherwise abuse the domain
name system (DNS). You can thwart attempts to manipulate this omnipresent protocol
by monitoring for these types of abuses.
narrative: Although DNS is one of the fundamental underlying protocols that make the
Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However,
attackers have discovered ways to abuse the protocol to meet their objectives. One
potential abuse involves manipulating DNS to hijack traffic and redirect it to an
IP address under the attacker's control. This could inadvertently send users intending
to visit google.com, for example, to an unrelated malicious website. Another technique
involves using the DNS protocol for command-and-control activities with the attacker's
malicious code or to covertly exfiltrate data. The searches within this Analytic
Story look for these types of abuses.
references:
- http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/
- http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680
- https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454
tags:
analytic_story: Suspicious DNS Traffic
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection