cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/DnsEvents/DNS_LongURILookup.txt
47lines · modecode
7 years ago
| 1 | // Name: Long DNS Query |
| 2 | // Description: Length of DNS query can often be an indicator of suspicious activity. Regular domain names lengths are not too large whereas domain name query used for data exfiltration or tunneling can often be very large in size. |
| 3 | // This is because they could be encoded using base 64/32 etc. The hunting query looks for Names that are more than 200 characters in length. Having said that there are also a lot of reputation feeds and some services |
| 4 | // like Spotify which used the DNS protocol to send information to external servers . Would need to whitelist these benign services in your environment. |
| 5 | // |
| 6 | // Id: a0954a17-cc66-4d47-9651-8bf524bbdcc8 |
| 7 | // |
| 8 | // DataSource: #DNSEvent |
| 9 | // |
| 10 | // Tactics: #C2 , #Exfiltration |
| 11 | // |
| 12 | let LocalDomains = |
| 13 | ( |
| 14 | DnsEvents | where TimeGenerated >= ago(1d) |
| 15 | | summarize count() by Computer |
| 16 | | extend SubDomain = tolower(strcat(tostring(split(Computer, ".")[-2]),".", tostring(split(Computer, ".")[-1]))) |
| 17 | | distinct SubDomain |
| 18 | ); |
| 19 | let DomainLookups = |
| 20 | ( |
| 21 | DnsEvents | where TimeGenerated >= ago(1d) |
| 22 | | where SubType == "LookupQuery" |
| 23 | | where ClientIP != "127.0.0.1" |
| 24 | | where Name !endswith ".local" and Name !startswith "_" and Name !startswith "#" |
| 25 | | where Name !has "cnr.io" and Name !has "kr0.io" and Name !has "arcticwolf.net" and Name !has "webcfs00.com" and Name !has "barracudabrts.com"and Name !has "trendmicro.com" |
| 26 | and Name !has "sophosxl.net" and Name !has "spotify.com" and Name !has "e5.sk" and Name !has "mcafee.com" and Name !has "opendns.com" and Name !has "spameatingmonkey.net" |
| 27 | and Name !has "_ldap" and Name !has "_kerberos" and Name !has "modsecurity.org" and Name !has "fdmarc.net" and Name !has "ipass.com" and Name !has "wpad" |
| 28 | and Name !has "cnr.io" and Name !has "trendmicro.com" and Name !has "sophosxl.net" and Name !has "spotify.com" and Name !has "e5.sk" and Name !has "mcafee.com" |
| 29 | and Name !has "opendns.com" and Name !has "spameatingmonkey.net" and Name !has "_ldap" and Name !has "_kerberos" and Name !has "modsecurity.org" and Name !has "fdmarc.net" |
| 30 | and Name !has "ipass.com" and Name !has "wpad" |
| 31 | | where Name !contains "::1" |
| 32 | | extend Name = tolower(Name) |
| 33 | | extend Urilength = strlen(Name) |
| 34 | | where Urilength >= 150 |
| 35 | | extend SubDomain = case( |
| 36 | isempty(Name), Name, |
| 37 | array_length(split(Name, ".")) <= 2, Name, |
| 38 | tostring(split(Name, ".")[-2]) == "corp", strcat(tostring(split(Name, ".")[-3]),".",tostring(split(Name, ".")[-2]),".", tostring(split(Name, ".")[-1])), |
| 39 | strlen(tostring(split(Name, ".")[-1])) == 2, strcat(tostring(split(Name, ".")[-3]),".",tostring(split(Name, ".")[-2]),".", tostring(split(Name, ".")[-1])), |
| 40 | strlen(tostring(split(Name, ".")[-2])) != "corp", strcat(tostring(split(Name, ".")[-2]),".", tostring(split(Name, ".")[-1])), |
| 41 | Name)) |
| 42 | ; |
| 43 | DomainLookups |
| 44 | | join kind= leftanti ( |
| 45 | LocalDomains |
| 46 | ) on SubDomain |
| 47 | | summarize by TimeGenerated, Computer, ClientIP , Name, Urilength |