DNS Activity to the Internet

 1[metadata]
 2creation_date = "2020/02/18"
 3deprecation_date = "2022/08/02"
 4maturity = "deprecated"
 5updated_date = "2022/08/02"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior
11for a managed network and can be indicative of malware, exfiltration, command and control, or simply
12misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and
13logging of DNS, and it opens your network to a variety of abuses and malicious communications.
14"""
15false_positives = [
16    """
17    Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined
18    in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server.
19    This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon
20    DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet
21    destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior.
22    """,
23]
24from = "now-9m"
25index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "DNS Activity to the Internet"
29references = [
30    "https://www.us-cert.gov/ncas/alerts/TA15-240A",
31    "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
32    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
33]
34risk_score = 47
35rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154"
36severity = "medium"
37tags = ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)
43  and source.ip:(
44    10.0.0.0/8 or
45    172.16.0.0/12 or
46    192.168.0.0/16
47  ) and
48  not destination.ip:(
49    10.0.0.0/8 or
50    127.0.0.0/8 or
51    169.254.0.0/16 or
52    172.16.0.0/12 or
53    192.0.0.0/24 or
54    192.0.0.0/29 or
55    192.0.0.8/32 or
56    192.0.0.9/32 or
57    192.0.0.10/32 or
58    192.0.0.170/32 or
59    192.0.0.171/32 or
60    192.0.2.0/24 or
61    192.31.196.0/24 or
62    192.52.193.0/24 or
63    192.168.0.0/16 or
64    192.88.99.0/24 or
65    224.0.0.0/4 or
66    100.64.0.0/10 or
67    192.175.48.0/24 or
68    198.18.0.0/15 or
69    198.51.100.0/24 or
70    203.0.113.0/24 or
71    240.0.0.0/4 or
72    "::1" or
73    "FE80::/10" or
74    "FF00::/8"
75  )
76'''
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81
82[rule.threat.tactic]
83reference = "https://attack.mitre.org/tactics/TA0011/"
84id = "TA0011"
85name = "Command and Control"