DNS Activity to the Internet

edit

This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization’s ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.

Rule type: query

Rule indices:

  • auditbeat-*
  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Network
  • Threat Detection
  • Command and Control
  • Host

Version: 12 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.16.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior.

Rule query

edit
event.category:(network or network_traffic) and (event.type:connection
or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and
source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16
) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or
169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or
192.0.0.0/29 or 192.0.0.8/32 or 192.0.0.9/32 or
192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or
192.0.2.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or
192.168.0.0/16 or 192.88.99.0/24 or 224.0.0.0/4 or
100.64.0.0/10 or 192.175.48.0/24 or 198.18.0.0/15 or
198.51.100.0/24 or 203.0.113.0/24 or 240.0.0.0/4 or "::1"
or "FE80::/10" or "FF00::/8" )

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 12 (7.16.0 release)
  • Formatting only
Version 11 (7.15.0 release)
  • Formatting only
Version 10 (7.14.0 release)
  • Updated query, changed from:

    event.category:(network or network_traffic) and (event.type:connection
    or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and
    source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not
    destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or
    172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or
    "::1" or "FE80::/10" or "FF00::/8")
Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Updated query, changed from:

    event.category:(network or network_traffic) and (event.type:connection
    or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and
    source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
    destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or
    172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or
    255.255.255.255 or "::1" or "ff02::fb")
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.0 release)
  • Updated query, changed from:

    destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or
    192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or
    169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251
    or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb")
Version 3 (7.7.0 release)
  • Updated query, changed from:

    destination.port:53 and ( network.direction: outbound or (
    source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
    destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\:\:fb or
    255.255.255.255 ) ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.