DNS

Network Connection to Suspicious Server
Description This alert is triggered when it detects communication between hosts and domains mentioned in the query's list. The query will either search for logs generated from the Windows system or logs from proxy and firewalls. The sites mentioned are either file storage or hosting sites. Attackers have used such sites in many campaigns to upload and download data.
Log source DNS Server
Value The list contains common sites that threat actors use in their attacks, such as Pastebin, Telegram, and Mega. Therefore, it is important to keep track of the communication of the DNS server to this type of sites.
Query
Copy 
url IN ["*dl.dropboxusercontent.com*","*.pastebin.com*","*.githubusercontent.com*",   
"*cdn.discordapp.com/attachments*","*mediafire.com*","*userstorage.mega.co.nz*",  
"*mega.nz*","*ddns.net*","*.paste.ee*", "*.hastebin.com/raw/*","*.ghostbin.co/*",   
"*ufile.io*","*anonfiles.com*", "send.exploit.in*","*transfer.sh*", "*privatlab.net*",  
"*privatlab.com*","*sendspace.com*","*pastetext.net*","*pastebin.pl*","*paste.ee*",  
"*api.telegram.org*"] OR domain IN ["*dropboxusercontent.com*","*pastebin.com*","*.githubusercontent.com*",   
"*cdn.discordapp.com","*mediafire.com*","*userstorage.mega.co.nz",  
"*mega.nz*","*ddns.net","*.paste.ee", "*.hastebin.com","*ghostbin.co",   
"*ufile.io","*anonfiles.com", "send.exploit.in","transfer.sh", "privatlab.net",  
"*privatlab.com","*sendspace.com","*pastetext.net","*pastebin.pl","*paste.e*",  
"*api.telegram.org"] 
Comments -
Type

Alert

 

DNS Query to External Service Interaction Domains
Description Triggered when DNS queries to domains for external service interaction, such as 'Interact.sh', are detected. Attackers use these sites for 'out-of-band' interactions to verify remote code execution success after exploiting vulnerabilities.
Log source DNS Server
Value This alert monitors the use of remote code execution sites to check if attackers have gained access to your assets.
Query
Copy 
label=DNS (label=Query OR label=Monitor) (query IN ['*.interact.sh', 
'*.oast.pro', '*.oast.live', '*.oast.site', '*.oast.online', '*.oast.fun',
'*.oast.me', '*.burpcollaborator.net', '*.oastify.com', '*.canarytokens.com',
'*.requestbin.net', '*.dnslog.cn'] OR domain IN ['*interact.sh', '*oast.pro', 
'*oast.live', '*oast.site', '*oast.online', '*oast.fun', '*oast.me', 
'*burpcollaborator.net', '*oastify.com', '*canarytokens.com', '*requestbin.net', 
'*dnslog.cn']  ) | rename query as domain
Comments -
Type Alert
MITRE ATT&CK T1589.002 – Gather Victim Identity Information: Domain

DNS DASHBOARD

Windows DNS
Description This dashboard provides insights into DNS data, including network protocols, addresses, and accessed domains.
Log source Windows DNS
Value DNS logging is crucial for identifying which internal systems have queried specific domain names and when. For example, it helps determine when malware communicated with a command & control(C2) server.
Rationale This dashboard offers visibility into DNS traffic patterns and anomalies, which can reveal C2 activity, data exfiltration, and attempts to resolve malicious domains. DNS is a common channel for attacker communication. Monitoring this supports NIST 800-53 SI-4 (System Monitoring), AU-12 (Audit Generation), ISO 27001 A.12.4.1 (Event Logging), and CIS Control 13.6 (DNS Query Logging).
Widgets / Use cases

1. Top 10 Protocols

2. Top 10 Source Addresses

3. Top 10 Request Types

4. Top 10 Domain

5. Top 10 Successful Event Details

6. Top 10 Failed Event Details

7. Top 10 Non-Existant Domain Name Requests

8. DNS Event Status Timetrendrs

9. Top 10 Countries

10. DNS Action Timetrend

11. Top 10 Status Codes

12. Top 10 Names Not Present (Expected to Exist)

13. Top 10 Successful Name Response

14. Top 10 Failed Updates in Name Response

Comments -
Type Dashboard
MITRE ATT&CK T1071.004 – Application Layer Protocol: DNS