One Article Review
| Source |  RedTeam PL |
|---|---|
| Identifiant | 1798891 |
| Date de publication | 2019-08-14 21:45:48 (vue: 2020-07-09 15:05:43) |
| Titre | Threat hunting using DNS firewalls and data enrichment |
| Texte | After seeing a few advertisements about DNS firewalls and how expensive they are, I want to share my experience with blue teamers about how DNS firewalls work and how that knowledge can be used for in-house threat hunting solutions and/or building your own DNS firewall (aka do it yourself). These are examples of an approach to detect malicious behaviour, not a tailor made solutions.At the beginning I would like to highlight that it's a good practice to monitor not only logs but also DNS traffic in real time. Such traffic isn't encrypted and if you only check DNS server logs then you can miss direct requests to other DNS servers. Additionally you can also use recently published version of Sysmon [https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon] which supports DNS queries in event ID 22 (DNSEvent).The DNS queries used below that end with |
| Envoyé | Oui |
| Condensat | #comment $argn $domain $ip example * */*>* +64 +answer +noall +nocmd +ttlid /dev/urandom /etc/ssl/certs* /etc/ssl/certs/ca /resolve 0/12 0/16 0/16dns 0/8 001 0228452040 0other 0x20 0x60ee 0x7fffc18dd8e0 100 101 102 103 104 10:54:00 10same 110$ 11000 11043average 113 11:29:56 11k 125 127 133 138 139 13valid 1414 168 16however 172 173 176 192 1e100 2011 2013 2018 2019 209 20nameserver: 20updated: 215 216 22314registrant 245 248 248d 252 253 255 299 300 3492 363+63+63+49+7+3=248 3of 42rn 4343 443 48319528registrant 49example 5206ce763950 53260 5e3be4@adamziaja 604 63aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 63aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 7265:6474:6561:6d2e:706c:2065:6c65:6574$ 7265:6474:6561:6d2e:706c:2065:6c65:6574if 7com 895606 95wireshark :1 :299 :false :if :true ;do ;done >255 ^xn aaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa able abnormal about above accept: accepted access according accounts actions activities activity actor adamziaja add addition additional additionally addr address addresses addresseswhen address” adds administrators adversaries advertisements advocating afor afraid after again against agent: aggregated ahr0chm6ly9zc2wuz3n0yxrpyy5jb20v alert alerting alexa alexandriaregistrant algorithm alias all allowed almost alphabet alphabets alphanumeric alpn already also always analysed analysis/2017/12/seamless analytics/suspicious and/or another answer answers antivirus any anyway appear applications approach april are arnumber=7163279 arpa arpa$ article artifacts as131279 as15169 ascii asn asn/cidr asn;done74 asnum aspects assume assuming attack attacker attackers attackers:i attacks attacks: attack” attempt attempts attention auth authority authors average average: avoid awk axfr bad badwpad balancing bar base64 based basically beaconing because been beginning behalf behaviour behind being believe below below:it beta1 better between bgp binaries binary bit bits black blacklist blacklisted blacklisting blacklists blockchain blog blogspot blue bot both botmaster botnet botnets break browser btw buffer building bullet business but buy buying bypass bypassed bypasses:$ bypassing byte c&c c/o c13$ c253each c25in c67there c7detection c;doneaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa c=us; cache cafile: calculating cameron campaign campaigns can case cases caught cdn cdns center centralized cert certain certainly certificate certificate:* certificates chacha20 chance change changed changing characters characters:$ chars check checked checks chrome ciech/command cipher cisco city: claim cli client clients cloudflare cmvkdgvhbs5wba== cn=* cn=google code: collision collisions collisions:wireshark collisionsif com com$ com* com/2013/03/the com/2017/03/dnsmessenger com/@woj com/adamziaja/618480a766af42d62141 com/blog/2017/idn com/blog/2019/05/01/staff com/developer com/en com/homoglyph com/iagox86/dnscat2 com/pi com/pl com/resolve com/security/talos/angler com/speed/public com/threat com/topic/2037 com/unit42 com> combine come comgoogle coming command comment commented common communicate communication communications comnameserver: company compared compromise computer computers comregistrant concept concurrent configuration confirmed connect connected connecting connection connections consistently contain content control conversion copying could count counting countries country country: create created created: creates crt capath: csv cti curl curl/7 currently custom cyber czds data date: day deactivate decided default defense defined definitely delivered delivery demonstrating depends described descriptive designed details detect detecting detection device dga diacritical diagnosis diagrams diff different difficulty dig digits direct directly dismayed display dkim dmarc dns dns/docs/dns dns/docs/security#randomize dns0x20 dnscat2 dnsevent dnsext dnshttps://blog dnsround do/top doesn doh doing do |
| Tags | Spam Malware Threat Guideline |
| Stories | APT 18 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.