Web services making suspicious DNS queries
This search detects a suspicious process making a DNS query via known, abused web services, such as text-paste services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good Tactics, Techniques, and Procedures (TTP) indicator for possible initial access techniques.
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational EventCode=22 (QueryName="*discord*" OR QueryName="*pastebin*" OR QueryName="*t.me*" OR QueryName="*telegram*") (process_name="*powershell*" OR process_name="cmd.exe" OR process_name="cscript.exe" OR process_name="pwsh.exe" OR process_name="wscript.exe") | stats count min(_time) AS firstTime max(_time) AS lastTime BY Image QueryName QueryStatus process_name QueryResults Computer | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational | Search Sysmon operational logs. |
EventCode=22 (QueryName="*discord*" OR QueryName="*pastebin*" OR QueryName="*t.me*" OR QueryName="*telegram*") (process_name="*powershell*" OR process_name="cmd.exe" OR process_name="cscript.exe" OR process_name="pwsh.exe" OR process_name="wscript.exe") |
Search for event code 22, when a process executes a DNS query. Search within these logs for known, abused web services and their associated process names. |
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Image QueryName QueryStatus process_name QueryResults Computer | Return the values for the fields shown, sorting first by Image and then by the rest of the fields shown. |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) |
Convert these times into readable strings. |
Next steps
False positives from this search may occur if instant messaging or applications like Telegram or Discord are allowed in the corporate network.
During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
You might also be interested in other processes associated with the Detecting indicators of Remcos RAT malware use case.