Threat Hunting: DNS Indicators of Compromise

A critical part of proactive threat hunting is being on the lookout for attackers who might have already infiltrated the network. One such threat is malware-infected systems in the network.Once they are ready to exfiltrate data, the malware tries to contact the respective Command and Control (C&C) server. The system calls upon the DNS resolver—server that manages DNS requests, to locate the malicious domain's C&C server. Since every such attempt requires the DNS resolver to act, looking at DNS server logs can be of immense help to discover threat actors.

Indicators of compromise (IoCs) are pieces of forensic evidence that identifies malicious activity and helps detect the presence of potential threat actors in your network. Here are a few DNS IoCs that you should watch out for in your DNS server and traffic logs.

1. Unusual domain name requests: The domain names to the C&C servers are usually random like 'asdggj.com' or '12.345.672.hujist.com'. If such domain names are encountered in the logs, they should be immediately blacklisted. Also, top level domain names such as .tk and .ru are suspicious and should be looked into for malicious activity.
2. Abnormal volume of DNS : When a large number of DNS queries occur in a short span of time to unusual domain names, it is a sure sign of malicious activity. If these queries occur at odd hours, it's possible that the querying systems are infected.
3. Unusual DNS query failures : Suspicious domain names can be blocked upon discovery. As a way around this, attackers use Domain Generation Algorithms (DGA) in their malware. The DGAs generate a large number of domain names everyday, a few of which could be used to successfully connect to the C&C server. . Since not every name is a successful connection, monitoring your logs for failed DNS queries can lead you to the infected systems.

These IoCs have a very short lifespan, becoming obsolete in mere hours, and need to be acted upon quickly. Their discovery can be easily automated provided you have the right settings with the right solution.

ManageEngine's Log360 is a one stop solution that helps enterprises mitigate external and internal threats with alerting, data security, event correlation, threat intelligence and more. It has a built-in STIX/TAXII feeds processor and a global IP threat database that can instantly detect known malicious traffic passing through the network as well as outbound connections to malicious domains and callback servers. The advanced threat analytics add-on gives deeper insights into the threats. Click here to explore more features.