Detecting host redirection attacks
You are an analyst responsible for your organization's overall security posture. You need to be able to detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended, which may be potentially part of an adversary's attack infrastructure.
In some cases, an attacker may try to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Or, an attacker may redirect a victim in order to execute a man-in-the-middle (MITM) attack and observe communications. These searches will help you identify when these types of host redirection attacks could be occurring.
How to use Splunk software for this use case
Clients connecting to multiple DNS servers
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). To run this search, you'll need to populate the Network Resolution data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro. The data used for this search is typically generated via logs that report reads and writes to the file system. For information on installing and using the CIM, see the Common Information Model documentation.
This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS queries over the time frame of the search.
False positives may occur because it's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. You can customize the search as appropriate to suit your environment.
| tstats allow_old_summaries=true count, values("DNS.dest") AS dest, dc("DNS.dest") AS dest_count FROM datamodel=Network_Resolution WHERE "DNS.message_type"=QUERY BY "DNS.src" | rename "Network_Resolution.*" AS "*" | where (dest_count > 5)
Windows hosts file modification
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. For information on installing and using the CIM, see the Common Information Model documentation.
The hosts file is a file present on both Windows and Linux endpoints. Its purpose is to provide a mapping between hostnames and IP addresses, the same way DNS is used to provide such a mapping. However, the information in the hosts file takes precedence over information received via DNS, and a DNS query will not be issued if the hostname of interest is found in the hosts file. Attackers have been observed adding entries to the host file to override any DNS resolution. For this reason, it is useful to monitor for changes to this file, which typically do not occur in legitimate cases.
False positives may occur since there may be legitimate reasons for System Administrators to add entries to this file.
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" | search ("Filesystem.file_name"=hosts "Filesystem.file_path"=*Windows\\System32\\*) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | rename "Filesystem.*" AS "*"
Get DNS server history for a host
To run this search,
you'll need to ingest your DNS traffic.
While investigating any detections, it is important to understand which and how many DNS servers a host has connected to in the past. This search uses data that is tagged as DNS and gives you a count and list of DNS servers that a particular host has connected to within your specified timeframe. Replace
src_ip with a source IP address appropriate to your environment.
| search tag=dns src_ip=<src_ip> dest_port=53 | streamstats time_window=1d count values(dest_ip) AS dcip BY src_ip | table date_mday src_ip dcip count | sort -count
The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.
In addition, Splunk Enterprise Security provides a number of other searches to help you detect abuse attempts within your environment, including:
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.