DNS abnormalities
Suspicious DNS requests
DNS is a vital internet protocol that converts URLs to the corresponding IP address
Used by webservers, web apps, email, even malware
DNS requests to unusual or suspicious domains may be generated by malware setting up command and control channels
DNS monitoring and blacklisting are an important component of threat hunting
DNS warning signs
Random domains
Malware and C2 servers will use domain generation algorithms (DGAs) to generate random domains (like dfdkkk.com) to evade blacklisting
These domains are often less than 24 hours old
Embedded IP addresses: IP addresses embedded in domains (like 108.172.16.201.gogle.com) should be a warning sign
Irregular top-level domains: Unusual or unexpected top-level domains (.ru & .zip)
NXDOMAIN
Requests to non-existent domains could be a typo or an indication of malware on the system
Unusual hours
Most DNS traffic should occur during standard business hours as employees use the internet
Abnormal volume
Unusual volume of DNS requests from a certain computer or for a certain may indicate an attack
Blacklist hits
Requests to known malicious domains indicate that a system has been infected with malware
Detecting suspicious DNS traffic
"Rinse and repeat"
Collect DNS traffic packets
Identify and remove known good traffic (whitelisting)
Analyze what's left
Look for patterns
Malware often "beacons" to C2 servers are regular intervals
Legitimate webpages make most of their requests at the very beginning
Any that originate later are suspicious
Dynamic DNS connections
Connections to domain hosted on dynamic DNS providers may indicate C2 communication
Look at DNS query or HTTP proxy logs for sites visited by a low number of endpoints
In many environments, any access to dynamic DNS provider may be considered suspicious
Utilize a lookup or feed to known dynamic DNS (DDNS) domains to query against data in a SIEM or log aggregator
Denied outbound traffic
Denied outbound traffic can be another valuable Indicator of Compromise (IOC)
Malware within your network may need to communicate with a C2 server
This traffic may be blocked by firewalls or other network security devices
Determine where the blocked traffic originated and investigate the source
HTTP request/response abnormalities
Requests
Large numbers of repeated requests for the same resources may indicate:
Attempts to create a working exploit for a supposed vulnerability
Attempts to use a web shell embedded in the web content directory
Responses
Unusually large responses may indicate a successful SQL injection (database dumps, etc)
Unusually small responses may indicate unsuccessful injection attempts
Geographic abnormalities
Many different anomalies can indicate compromised user credentials:
Authentication attempts from unusual locations
Attempts by multiple IP addresses to access the same account in a short period of time
IP lookup tools like Ultra Tools WHOIS can tell you the country of origin of a suspicious IP address
Last updated