Possible DNS Rebinding

calendar Apr 21, 2023 · attack.initial_access attack.t1189  ·
Share on: linkedin copy

Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).

Sigma rule (View on GitHub)

 1title: Possible DNS Rebinding
 2id: eb07e747-2552-44cd-af36-b659ae0958e4
 3status: unsupported
 4description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
 5references:
 6    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
 7author: Ilyas Ochkov, oscd.community
 8date: 2019/10/25
 9modified: 2023/02/24
10tags:
11    - attack.initial_access
12    - attack.t1189
13logsource:
14    product: windows
15    category: dns_query
16detection:
17    dns_answer:
18        QueryName: '*'
19        QueryStatus: '0'
20    filter_int_ip:
21        QueryResults|startswith:
22            - '(::ffff:)?10.'
23            - '(::ffff:)?192.168.'
24            - '(::ffff:)?172.16.'
25            - '(::ffff:)?172.17.'
26            - '(::ffff:)?172.18.'
27            - '(::ffff:)?172.19.'
28            - '(::ffff:)?172.20.'
29            - '(::ffff:)?172.21.'
30            - '(::ffff:)?172.22.'
31            - '(::ffff:)?172.23.'
32            - '(::ffff:)?172.24.'
33            - '(::ffff:)?172.25.'
34            - '(::ffff:)?172.26.'
35            - '(::ffff:)?172.27.'
36            - '(::ffff:)?172.28.'
37            - '(::ffff:)?172.29.'
38            - '(::ffff:)?172.30.'
39            - '(::ffff:)?172.31.'
40            - '(::ffff:)?127.'
41    timeframe: 30s
42    condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
43level: medium

References

Related rules

to-top