DNS Threat Hunting

John Meyers

January 12, 2017 - Posted by John Meyers to Security Insight

DNS Threat Hunting

Recently, I read an article in SANS News Bytes about the Stegano malvertising campaign that was discovered by ESET Research. Instead of discussing this campaign in great detail, which ESET has already done, I am going to focus this blog on what you can do when information about a new malicious campaign becomes public.

One of the SANS News Bytes editors, Gal Shpantzer, recommended looking for the attack’s domain names in DNS logs. Most organizations do not retain their DNS traffic, but these can be a valuable source of information. In a corporate environment, having a historical record of traffic that traversed your network can aid in threat hunting, especially as new intelligence is made public. A SIEM is a great tool that organizations can use to store logs, including logs of DNS activity. In the case of Stegano, the DNS requests for the TinyURL and domains of the landing pages would be in those DNS logs.

If you don’t currently have DNS logging on your network, the first step would be to enable DNS logging. If you run a Windows environment you can enable DNS logging on a Windows 2012 server by following these steps:

  • Ensure that Hotfix for Windows KB2956577 is installed: “wmic qfe | find "KB2956577"
  • Type “eventvwr.msc” at an elevated command prompt and press ENTER to open Event Viewer.
  • In Event Viewer, navigate to “Applications and Service Logs\Microsoft\Windows\DNS-Server”.
  • Right-click “DNS-Server”, point to “View”, and then click “Show Analytic and Debug Logs”. The “Analytical”log will be displayed.
  • Right-click “Analytical” and then click “Properties”.
  • Under “When maximum event log size is reached”, chooseDo not overwrite events (Clear logs manually)”, select theEnable logging” checkbox, and clickOK” when asked if you want to enable this log.
  • Click “OK” again to enable the DNS Server Analytic event log.

For more information, please see Microsoft’s TechNet post  as well as this Microsoft blog post about DNS network forensics and Brian Pluta’s post about DNS logging.

In order to collect all DNS records for threat hunting, you have to consider more than what your internal DNS servers log. Some malware hard-codes public DNS servers to request their command and control URLs. This is where a network sniffer on the egress points is beneficial. A sniffer can capture all DNS traffic leaving your network. Once captured, these records should be retained in your SIEM solution. The longer you can hold DNS records, the more useful they will be during an investigation, especially when the activity may have occurred months in the past or as new intelligence about malicious activity like Stegano becomes available.

Once you have enabled DNS logging, the next step is to implement some form of threat hunting. Looking for malicious URLs in DNS records can help you find malicious or historical activity your IDS is missing. In order to review DNS records, however, you have to retain them. This includes DNS records that are not stored on your internal DNS server.

If you are not saving your DNS records, you should explore that solution with a SIEM provider. Stored DNS logs can give you better insight into your network. NTT Security can offer this type of service with our managed security services.

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)