Possible DNS Rebinding
Detects DNS-answer with TTL <10.
Sigma rule (View on GitHub)
1title: Possible DNS Rebinding
2id: ec5b8711-b550-4879-9660-568aaae2c3ea
3status: unsupported
4description: 'Detects DNS-answer with TTL <10.'
5date: 2019/10/25
6author: Ilyas Ochkov, oscd.community
7references:
8 - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
9tags:
10 - attack.command_and_control
11 - attack.t1043
12logsource:
13 product: dns
14detection:
15 selection:
16 answer: '*'
17 filter1:
18 ttl: '>0'
19 filter2:
20 ttl: '<10'
21 timeframe: 30s
22 condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
23level: medium
References
-
TL;DR Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home…
Read More
Related rules
- DNSCat2 Powershell Implementation Detection Via Process Creation
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High NULL Records Requests Rate
- High TXT Records Requests Rate