In this blog post, I will introduce another Sigma Use Case detecting Command & Control (C2) traffic over Domain Name System (DNS). DNS is used to translate human-friendly computer hostnames into IP addresses. The domain name www.test.com belongs to the top-level domain com. Each label to the left specifies a subdomain of the domain to the right. In our example, test is a subdomain of the com domain. In this blog post, we will define parent domain as the subdomain of the top-level domain.
DNS is the perfect C2 channel because of several facts:
- DNS is usually not blocked outbound.
- It is usually not monitored.
- A DNS C2 channel can work over DNS proxies.
Normally, a parent domain has a limited number of subdomains, which results in a limited number of DNS queries. If you see in your environment a huge number of DNS queries for a single parent domain, this is an indicator for malicious C2 traffic. In this case, DNS is used to transfer data instead of its intended purpose. There exists a good write-up for tunneling traffic using DNS, which can be found here.
Sigma Use Case
In order to detect big number of DNS queries for a single domain, the Sigma distinct count aggregation operator is used:
title: DNS C2 Detection status: experimental description: Normally, there exists a limited amount of different dns queries for a single parent domain. If a huge number of dns queries were performed for a single parent domain, this can be an indicator that DNS is used for transferring data. references: - https://zeltser.com/c2-dns-tunneling/ author: Patrick Bareiss date: 2019/04/07 logsource: product: dns detection: selection: parent_domain: '*' condition: selection | dc(dns_query) by parent_domain > 1000 falsepositives: - Valid software, which uses dns for transferring data level: high tags: - attack.c2 - attack.t1043
Thank you for reading and I hope this Sigma use Case helps you to detect malicious C2 traffic in your company.