DNS Activity to the Internet

edit

Detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization’s ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.

Rule type: query

Rule indices:

  • filebeat-*
  • packetbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Network
  • Threat Detection
  • Command and Control

Version: 5 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior.

Rule query

edit
event.category:(network or network_traffic) and (event.type:connection
or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or
172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or
255.255.255.255 or "::1" or "ff02::fb")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.0 release)
  • Updated query, changed from:

    destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or
    192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or
    169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251
    or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb")
Version 3 (7.7.0 release)
  • Updated query, changed from:

    destination.port:53 and ( network.direction: outbound or (
    source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
    destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\:\:fb or
    255.255.255.255 ) ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.