Add to collection(s) Add to saved
  1. No category
Uploaded by damtek

Detection and Forensics on DNS Tunelling

advertisement 
Detection and Forensics on
DNS Tunneling
Tim Helming, DomainTools
Agenda
▪ DNS
Tunneling 101
▪ Adversary Methodology – Recent Ransomware
Campaigns
▪ Detecting Tunneling
▪ Analyzing Adversary Infrastructure Using DNS OSINT in
DomainTools Iris
▪ Q&A
Meet Your Presenter
Tim Helming, DomainTools
• Security Evangelist
• Spokesperson, internal/external education
• Over 20 years in infosec
• Technical Support grunt
• Technical Support leader
• Product management grunt
• Product management leader
• Advocate/evangelist
DNS Tunneling 101
DNS: Indispensable, Elegant, Insecure*
• Like many protocols, DNS was designed much more for
function than for security
• It can be secured, but most implementations can be abused
• It has the ingredients for abuse:
o Everyone needs DNS—can’t block it!
o High volume of traffic—it can be a good place to hide
o Distributed nature means anyone can stand up an authoritative server
o Crafting malicious DNS queries is trivial
*It can be secured, but often is not.
How Adversaries Use It
• Free access to WiFi (not a big deal to us)
• OS Commands
• Malware C2
• File transfers
• Full IP tunnel
DNS tunneling is a key component of the December
2020 intrusions involving the SolarWinds compromise
Components of DNS Tunneling
1
2
EvilDomain.TLD
Registration
1.2.3.4
4
3
EvilDomain
Authoritative
DNS
Greenbug/ISMDoor Malware
Bot-generated
session ID
Static, invalid
addy: “Hi, bot!”
Encoded
message
Another invalid
address
Total msg count
All spaces
'How many
msgs for me?”
Last 8 bytes = #
of msgs
Message
request
Message reply
(first 4 bytes)
Hunting for Greenbug/ISMDoor
• Search logs for those static IPv6 addresses
o Hit? INVESTIGATE
o Miss? More to hunt for…
• Query pDNS sources for the addresses
o Now you have a list of attacker-controlled domains
• Do more pivoting on these domains
oIP addresses
o Other pivots
• Search logs for all of the gathered indicators
Anchor_DNS
• Anchor_DNS: Backdoor created by the nice folks who brought
you Trickbot
• Trickbot distributes Ryuk (among other things)
• Anchor_DNS uses a single-byte XOR cipher to encrypt its
communications, using key 0xb9
• Initially, does lookups to legit domains to verify connectivity*
o Examples: ipecho.net, ipinfo.io, icanhazip.com
• Runs lookups to actor-controlled domains for C2, later stage
tooling, exfiltration
o The subdomains in these lookups are the encrypted C2 data
*some variants skip this step
Hunting for Anchor_DNS
• Search logs for the legit what’s-my-IP sources
o Hit? INVESTIGATE—could be FP, though
o Miss? More to hunt for…
• Build detections for unusual DNS query strings
o High-entropy query strings (most legitimate subdomains are
words)
o Unusually long query strings (max legal label is 63
characters, max overall name 255 characters. Look for
outliers)
o Look for high numbers of…numbers
Hunting for Anchor_DNS (2/2)
• Look for unusual volumes of…
o
o
o
o
Queries per internal host
Queries per external domain asdfs
Hostnames per domain
“Orphan” DNS requests (request w/no subsequent non-DNS
traffic to resolved domain)
• RegEx rules for detecting the odd query strings
• Traffic analysis rules for detecting volumetric oddities
Workflow: Adversary Infrastructure Mapping
An indicator is seen.
IOC Sources:
• Suspicious DNS query
• Firewall/IPS alert
• SIEM correlation
Form Hypothes(es).
This indicator could be
• Part of a campaign
• Targeting my industry
• Targeting my org
Gather Data
Enrich indicators
• Cross-indexed Whois/DNS
• pDNS
• Other domain profile info
Test Hypothesis
Evaluate data
• Connected infrastructure?
• Thematic consistency?
• High risk scores?
• Other red flags?
Test Hypothesis part 2
Look for more evidence
• Search alerts for
domains/IPs
• Search archived logs
• Search SIEM/feeds
Act!
• Block domains/IPs in
network/host defenses
• Monitor observed actors
• Block future infrastructure
Demo: DomainTools Iris
Anchor_DNS/Trickbot Assets
Ryuk Ransomware Assets
(Trickbot/Ryuk Infrastructure)
(Additional Ryuk Infrastructure)
(Greenbug/ISMDoor AAAA record DNS Tunneling “Fingerprint”)
(Malicious DNS Queries from SolarWinds Hack)
In Summary…
Timeline (the “oh snap” moment)
pwnyoudomain.com
lulzdomain.com
etc…
data trickle
Under the radar
🡨
time
dwell time upper bound
exfiltrationdomain.com
DNS data
hemorrhage
Something throws
an alert!
OK-stopped the leak (for now).
But…
• How long have they been inside?
• Where have they been sending my data—
have I stopped the whole leak?
• Why didn’t my TI feed(s) flag that domain?
pwnyoudomain.com
lulzdomain.com
wewinulosedomain.com
Now you have:
-Other domains to block
-An indication of dwell time
-IOCs/actors to build detections for
-Possibly other insights:
-TTP examples etc
Takeaways
• DNS tunneling is a common technique in
significant adversary operations
• It is desirable to prevent (obviously) but it is
possible to detect if prevention didn’t
happen
• You should be logging your DNS resolver
• Analysis of even a single domain can lead
to exposure of dormant adversary assets
• Your organization is the best place to
source intel
For Further Reference
• Detecting DNS Tunneling, Greg Farnham, SANS Information
Security Reading Room
• DomainTools Blog (Chad Anderson) Looking at Greenbug DNS
Tunneling in ISMDoor
• DomainTools Blog (Joe Slowik) Unraveling Network
Infrastructure Linked To the SolarWinds Hack
Thank You!
thelming@domaintools.com
@timhelming
info@domaintools.com
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Development of the domain name system Baoning Wu 01/30/2003
Development of the domain name system Baoning Wu 01/30/2003
Assignment-2_old Paper
Assignment-2_old Paper
Download
advertisement