Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Configuring and Using Microsoft DNS DGA Connector for Threat Hunting

Configuring and Using Microsoft DNS DGA Connector for Threat Hunting

In this article, I'm going to explain steps for configuring Microsoft DNS DGA SmartConnector, tuning, extracting domain information and detecting malicious activity by using the logs.
 
CONFIGURATION:
 
After installing the connector, you should see a "dga_whitelist.txt" file under $ARCSIGHT_HOME\current\user\agent directory. This file is used for pre-filtering the events based on the domain. For example, if you don't want to collect DNS logs for *.facebook.com, you need to enter "facebook.com"(without quotes). All entries should be entered line by line. There is a mistake in the connector documentation as it says the file should be comma separated. So, be careful about this. 
 
Example dga_whitelist.txt file:
facebook.com
kaspersky-labs.com
googleapis.com
akamaitechnologies.com
compute-1.amazonaws.com
geo.kaspersky.com
apple.com
search.msn.com
microsoft.com
gstatic.com
 
EXTRACTING  HOST and DOMAIN INFORMATION:
 
Following files under map folder should not be renamed because it breaks the functionality:
map.2.properties, map.3.properties, map.4.properties, map.5.properties.
 
In order to extract host and domain information (for example, "compute-1" and "amazonaws.com" from compute-1.amazonaws.com) we need to create 2 map files (you can do it with one map file if you want).
map.0.properties(extract the domain part):
set.expr(destinationHostName).event.destinationDnsDomain
"__regexToken(destinationHostName,"".*?\.(.+)"")"
map.1.properties(extract the host part):
set.expr(destinationHostName).event.flexString1
"__regexToken(destinationHostName,""(\S+?)\.\S+"")"

 

LICENSE USAGE OPTIMIZATION:

In order to optimize license usage, you can perform a top destinationDnsDomain search, copy the result and analyze them. After selecting some normal domains, for example, facebook.com, you can add them to dga_whitelist.txt file. 

DETECTING SUSPICIOUS ACTIVITY:

I highly recommend following blog post from Red Canary for understanding the importance of DNS logs and analyzing them.
https://redcanary.com/blog/threat-hunting-entropy/

Microsoft DNS DGA SmartConnector adds extra information for the queries to show if it's a normal looking query name or DGA query name. If deviceCustomNumber1=1, it means that the query looks like DGA, indicating a suspicious behavior (example: asjdhajkhda.xyz.com). If deviceCustomNuber1=0 it means that the query looks like a normal(example: www.google.com).
By using this information, you can create rules, dashboards, reports, etc.  Following are some example for dashboards:

Top hosts performing DNS lookup(hint: look for abnormally high counts)

top sources.jpg

Top queried domains( (hint: look for abnormally high counts for exfiltration activity):

top queried domains.jpg

Short Tail Analysis of DNS queries (look for rare occurrences of queries for dropper activity; malware is downloaded only once):

1. Create an event query (pay attention to ORDER BY section)


rare dns queries-query fields.jpgfields for rare dns queriesdns event queries-query.jpgquery condition

2. Create a Query Viewer

rare dns queries-query viewer.jpgrare dns queries - query viewer2.jpg

3. Create a Dashboard

rare dns queries.jpg

Labels (3)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments

If I may propose here is the slightly different version of the regex'es for the domain name and host name:

map.0.properties(extract the domain part):

set.expr(destinationHostName).event.destinationDnsDomain
"__regexToken(destinationHostName,"".+(?=\.(.+\..+))"")"

map.1.properties(extract the host part):

set.expr(destinationHostName).event.flexString1
"__regexToken(destinationHostName,""(.+(?=\..+\.))"")"

The original regex'es will not work properly for the XXX.XXX.XXX.XXX.IN-ADDR.ARPA types of records.

Top Contributors
Version history
Revision #:
4 of 4
Last update:
‎2019-04-05 14:53
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.