Configuring and Using Microsoft DNS DGA Connector for Threat Hunting

4 Likes
over 2 years ago
In this article, I'm going to explain steps for configuring Microsoft DNS DGA SmartConnector, tuning, extracting domain information and detecting malicious activity by using the logs.
 
CONFIGURATION:
 
After installing the connector, you should see a "dga_whitelist.txt" file under $ARCSIGHT_HOME\current\user\agent directory. This file is used for pre-filtering the events based on the domain. For example, if you don't want to collect DNS logs for *.facebook.com, you need to enter "facebook.com"(without quotes). All entries should be entered line by line. There is a mistake in the connector documentation as it says the file should be comma separated. So, be careful about this. 
 
Example dga_whitelist.txt file:
facebook.com
kaspersky-labs.com
googleapis.com
akamaitechnologies.com
compute-1.amazonaws.com
geo.kaspersky.com
apple.com
search.msn.com
microsoft.com
gstatic.com
 
EXTRACTING  HOST and DOMAIN INFORMATION:
 
Following files under map folder should not be renamed because it breaks the functionality:
map.2.properties, map.3.properties, map.4.properties, map.5.properties.
 
In order to extract host and domain information (for example, "compute-1" and "amazonaws.com" from compute-1.amazonaws.com) we need to create 2 map files (you can do it with one map file if you want).
map.0.properties(extract the domain part):
set.expr(destinationHostName).event.destinationDnsDomain
"__regexToken(destinationHostName,"".*?\.(. )"")"
map.1.properties(extract the host part):
set.expr(destinationHostName).event.flexString1
"__regexToken(destinationHostName,""(\S ?)\.\S "")"

 

LICENSE USAGE OPTIMIZATION:

In order to optimize license usage, you can perform a top destinationDnsDomain search, copy the result and analyze them. After selecting some normal domains, for example, facebook.com, you can add them to dga_whitelist.txt file. 

DETECTING SUSPICIOUS ACTIVITY:

I highly recommend following blog post from Red Canary for understanding the importance of DNS logs and analyzing them.
https://redcanary.com/blog/threat-hunting-entropy/

Microsoft DNS DGA SmartConnector adds extra information for the queries to show if it's a normal looking query name or DGA query name. If deviceCustomNumber1=1, it means that the query looks like DGA, indicating a suspicious behavior (example: asjdhajkhda.xyz.com). If deviceCustomNuber1=0 it means that the query looks like a normal(example: www.google.com).
By using this information, you can create rules, dashboards, reports, etc.  Following are some example for dashboards:

Top hosts performing DNS lookup(hint: look for abnormally high counts)

top sources.jpg

Top queried domains( (hint: look for abnormally high counts for exfiltration activity):

top queried domains.jpg

Short Tail Analysis of DNS queries (look for rare occurrences of queries for dropper activity; malware is downloaded only once):

1. Create an event query (pay attention to ORDER BY section)


rare dns queries-query fields.jpgdns event queries-query.jpg

2. Create a Query Viewer

rare dns queries-query viewer.jpgrare dns queries - query viewer2.jpg

3. Create a Dashboard

rare dns queries.jpg

Labels:

How To-Best Practice
Comment List
Anonymous
  • If I may propose here is the slightly different version of the regex'es for the domain name and host name:

    map.0.properties(extract the domain part):

    set.expr(destinationHostName).event.destinationDnsDomain
    "__regexToken(destinationHostName,"".+(?=\.(.+\..+))"")"

    map.1.properties(extract the host part):

    set.expr(destinationHostName).event.flexString1
    "__regexToken(destinationHostName,""(.+(?=\..+\.))"")"

    The original regex'es will not work properly for the XXX.XXX.XXX.XXX.IN-ADDR.ARPA types of records.

Related Discussions
Recommended