Scribd Logo
Upload

Welcome to Scribd!

  • 34 views

    Detection and Forensics On DNS Tunelling

    Uploaded by

    damtek
    This document discusses DNS tunneling, a technique used by cyber adversaries to hide command and control (C2) communications and exfiltrate data. It provides examples of malware like Anchor DNS and Greenbug/ISMDoor that use DNS tunneling. The presentation demonstrates how to detect DNS tunneling in network traffic and logs and how to map out related adversary infrastructure by analyzing DNS queries and enriching indicators with DomainTools Iris. It stresses the importance of logging DNS resolutions to detect tunneling and gain insights into adversary dwell time, exfiltrated data destinations, and additional indicators that can strengthen defenses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Detection and Forensics On DNS Tunelling

    Uploaded by

    damtek
    34 views44 pages
    This document discusses DNS tunneling, a technique used by cyber adversaries to hide command and control (C2) communications and exfiltrate data. It provides examples of malware like Anchor DNS and Greenbug/ISMDoor that use DNS tunneling. The presentation demonstrates how to detect DNS tunneling in network traffic and logs and how to map out related adversary infrastructure by analyzing DNS queries and enriching indicators with DomainTools Iris. It stresses the importance of logging DNS resolutions to detect tunneling and gain insights into adversary dwell time, exfiltrated data destinations, and additional indicators that can strengthen defenses.

    Original Description:

    Original Title

    Detection and Forensics on DNS Tunelling

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses DNS tunneling, a technique used by cyber adversaries to hide command and control (C2) communications and exfiltrate data. It provides examples of malware like Anchor DNS and Greenbug/ISMDoor that use DNS tunneling. The presentation demonstrates how to detect DNS tunneling in network traffic and logs and how to map out related adversary infrastructure by analyzing DNS queries and enriching indicators with DomainTools Iris. It stresses the importance of logging DNS resolutions to detect tunneling and gain insights into adversary dwell time, exfiltrated data destinations, and additional indicators that can strengthen defenses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    34 views44 pages

    Detection and Forensics On DNS Tunelling

    Uploaded by

    damtek
    This document discusses DNS tunneling, a technique used by cyber adversaries to hide command and control (C2) communications and exfiltrate data. It provides examples of malware like Anchor DNS and Greenbug/ISMDoor that use DNS tunneling. The presentation demonstrates how to detect DNS tunneling in network traffic and logs and how to map out related adversary infrastructure by analyzing DNS queries and enriching indicators with DomainTools Iris. It stresses the importance of logging DNS resolutions to detect tunneling and gain insights into adversary dwell time, exfiltrated data destinations, and additional indicators that can strengthen defenses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 44

    Detection and Forensics on

    DNS Tunneling
    Tim Helming, DomainTools
    Agenda

    ▪ DNS Tunneling 101


    ▪ Adversary Methodology – Recent Ransomware
    Campaigns
    ▪ Detecting Tunneling
    ▪ Analyzing Adversary Infrastructure Using DNS OSINT in
    DomainTools Iris
    ▪ Q&A
    Meet Your Presenter

    Tim Helming, DomainTools


    • Security Evangelist
    • Spokesperson, internal/external education
    • Over 20 years in infosec
    • Technical Support grunt
    • Technical Support leader
    • Product management grunt
    • Product management leader
    • Advocate/evangelist
    DNS Tunneling 101
    DNS: Indispensable, Elegant, Insecure*

    • Like many protocols, DNS was designed much more for


    function than for security
    • It can be secured, but most implementations can be abused
    • It has the ingredients for abuse:
    o Everyone needs DNS—can’t block it!
    o High volume of traffic—it can be a good place to hide
    o Distributed nature means anyone can stand up an authoritative server
    o Crafting malicious DNS queries is trivial

    *It can be secured, but often is not.


    How Adversaries Use It

    • Free access to WiFi (not a big deal to us)


    • OS Commands
    • Malware C2
    • File transfers
    • Full IP tunnel

    DNS tunneling is a key component of the December


    2020 intrusions involving the SolarWinds compromise
    Components of DNS Tunneling

    1 2

    EvilDomain.TLD EvilDomain
    Registration Authoritative
    DNS
    4
    1.2.3.4

    3
    Greenbug/ISMDoor Malware
    Bot-generated Static, invalid
    session ID addy: “Hi, bot!”

    Encoded Another invalid


    message address

    Total msg count All spaces

    'How many Last 8 bytes = #


    msgs for me?” of msgs

    Message Message reply


    request (first 4 bytes)
    Hunting for Greenbug/ISMDoor
    • Search logs for those static IPv6 addresses
    o Hit? INVESTIGATE
    o Miss? More to hunt for…
    • Query pDNS sources for the addresses
    o Now you have a list of attacker-controlled domains
    • Do more pivoting on these domains
    oIP addresses
    o Other pivots
    • Search logs for all of the gathered indicators
    Anchor_DNS
    • Anchor_DNS: Backdoor created by the nice folks who brought
    you Trickbot
    • Trickbot distributes Ryuk (among other things)
    • Anchor_DNS uses a single-byte XOR cipher to encrypt its
    communications, using key 0xb9
    • Initially, does lookups to legit domains to verify connectivity*
    o Examples: ipecho.net, ipinfo.io, icanhazip.com
    • Runs lookups to actor-controlled domains for C2, later stage
    tooling, exfiltration
    o The subdomains in these lookups are the encrypted C2 data

    *some variants skip this step


    Hunting for Anchor_DNS
    • Search logs for the legit what’s-my-IP sources
    o Hit? INVESTIGATE—could be FP, though
    o Miss? More to hunt for…
    • Build detections for unusual DNS query strings
    o High-entropy query strings (most legitimate subdomains are
    words)
    o Unusually long query strings (max legal label is 63
    characters, max overall name 255 characters. Look for
    outliers)
    o Look for high numbers of…numbers
    Hunting for Anchor_DNS (2/2)
    • Look for unusual volumes of…
    o Queries per internal host
    o Queries per external domain asdfs
    o Hostnames per domain
    o “Orphan” DNS requests (request w/no subsequent non-DNS
    traffic to resolved domain)

    • RegEx rules for detecting the odd query strings


    • Traffic analysis rules for detecting volumetric oddities
    Workflow: Adversary Infrastructure Mapping
    An indicator is seen. Form Hypothes(es). Gather Data
    IOC Sources: This indicator could be Enrich indicators
    • Suspicious DNS query • Part of a campaign • Cross-indexed Whois/DNS
    • Firewall/IPS alert • Targeting my industry • pDNS
    • SIEM correlation • Targeting my org • Other domain profile info

    Test Hypothesis Test Hypothesis part 2 Act!


    Evaluate data Look for more evidence • Block domains/IPs in
    • Connected infrastructure? • Search alerts for network/host defenses
    • Thematic consistency? domains/IPs • Monitor observed actors
    • High risk scores? • Search archived logs • Block future infrastructure
    • Other red flags? • Search SIEM/feeds
    Demo: DomainTools Iris
    Anchor_DNS/Trickbot Assets
    Ryuk Ransomware Assets
    (Trickbot/Ryuk Infrastructure)
    (Additional Ryuk Infrastructure)
    (Greenbug/ISMDoor AAAA record DNS Tunneling “Fingerprint”)
    (Malicious DNS Queries from SolarWinds Hack)
    In Summary…
    Timeline (the “oh snap” moment)
    OK-stopped the leak (for now).
    pwnyoudomain.com But…
    lulzdomain.com
    exfiltrationdomain.com • How long have they been inside?
    etc… • Where have they been sending my data—
    have I stopped the whole leak?
    • Why didn’t my TI feed(s) flag that domain?

    pwnyoudomain.com
    lulzdomain.com
    DNS data
    hemorrhage wewinulosedomain.com
    data trickle

    Now you have:


    -Other domains to block
    Something throws -An indication of dwell time
    Under the radar
    an alert! -IOCs/actors to build detections for
    -Possibly other insights:
    🡨 dwell time upper bound -TTP examples etc
    time
    Takeaways
    • DNS tunneling is a common technique in
    significant adversary operations
    • It is desirable to prevent (obviously) but it is
    possible to detect if prevention didn’t
    happen
    • You should be logging your DNS resolver
    • Analysis of even a single domain can lead
    to exposure of dormant adversary assets
    • Your organization is the best place to
    source intel
    For Further Reference
    • Detecting DNS Tunneling, Greg Farnham, SANS Information
    Security Reading Room
    • DomainTools Blog (Chad Anderson) Looking at Greenbug DNS
    Tunneling in ISMDoor
    • DomainTools Blog (Joe Slowik) Unraveling Network
    Infrastructure Linked To the SolarWinds Hack
    Thank You!
    thelming@domaintools.com
    @timhelming

    info@domaintools.com

    You might also like