DNS Activity to the Internet
This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2022/08/02"
4maturity = "deprecated"
5updated_date = "2022/08/02"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior
11for a managed network and can be indicative of malware, exfiltration, command and control, or simply
12misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and
13logging of DNS, and it opens your network to a variety of abuses and malicious communications.
14"""
15false_positives = [
16 """
17 Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined
18 in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server.
19 This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon
20 DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet
21 destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior.
22 """,
23]
24from = "now-9m"
25index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "DNS Activity to the Internet"
29references = [
30 "https://www.us-cert.gov/ncas/alerts/TA15-240A",
31 "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
32 "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
33]
34risk_score = 47
35rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154"
36severity = "medium"
37tags = ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)
43 and source.ip:(
44 10.0.0.0/8 or
45 172.16.0.0/12 or
46 192.168.0.0/16
47 ) and
48 not destination.ip:(
49 10.0.0.0/8 or
50 127.0.0.0/8 or
51 169.254.0.0/16 or
52 172.16.0.0/12 or
53 192.0.0.0/24 or
54 192.0.0.0/29 or
55 192.0.0.8/32 or
56 192.0.0.9/32 or
57 192.0.0.10/32 or
58 192.0.0.170/32 or
59 192.0.0.171/32 or
60 192.0.2.0/24 or
61 192.31.196.0/24 or
62 192.52.193.0/24 or
63 192.168.0.0/16 or
64 192.88.99.0/24 or
65 224.0.0.0/4 or
66 100.64.0.0/10 or
67 192.175.48.0/24 or
68 198.18.0.0/15 or
69 198.51.100.0/24 or
70 203.0.113.0/24 or
71 240.0.0.0/4 or
72 "::1" or
73 "FE80::/10" or
74 "FF00::/8"
75 )
76'''
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81
82[rule.threat.tactic]
83reference = "https://attack.mitre.org/tactics/TA0011/"
84id = "TA0011"
85name = "Command and Control"
References
Related rules
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- FTP (File Transfer Protocol) Activity to the Internet
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity