2019-10-29 00:44:22 +00:00
title : Possible DNS Rebinding
2019-12-19 22:56:36 +00:00
id : eb07e747-2552-44cd-af36-b659ae0958e4
2019-10-29 00:44:22 +00:00
status : experimental
2020-06-16 20:46:08 +00:00
description : Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
2019-10-29 00:44:22 +00:00
date : 2019 /10/25
2020-08-29 00:03:28 +00:00
modified : 2020 /08/28
2019-10-29 00:44:22 +00:00
author : Ilyas Ochkov, oscd.community
references :
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags :
2020-08-29 00:03:28 +00:00
- attack.initial_access
- attack.t1189
2019-10-29 00:44:22 +00:00
logsource :
product : windows
service : sysmon
detection :
dns_answer :
EventID : 22
QueryName : '*'
2020-06-16 20:46:08 +00:00
QueryStatus : '0'
2019-10-29 00:44:22 +00:00
filter_int_ip :
2020-06-16 20:46:08 +00:00
QueryResults|startswith :
2019-11-13 21:08:50 +00:00
- '(::ffff:)?10.'
- '(::ffff:)?192.168.'
- '(::ffff:)?172.16.'
- '(::ffff:)?172.17.'
- '(::ffff:)?172.18.'
- '(::ffff:)?172.19.'
- '(::ffff:)?172.20.'
- '(::ffff:)?172.21.'
- '(::ffff:)?172.22.'
- '(::ffff:)?172.23.'
- '(::ffff:)?172.24.'
- '(::ffff:)?172.25.'
- '(::ffff:)?172.26.'
- '(::ffff:)?172.27.'
- '(::ffff:)?172.28.'
- '(::ffff:)?172.29.'
- '(::ffff:)?172.30.'
- '(::ffff:)?172.31.'
2020-06-16 20:46:08 +00:00
- '(::ffff:)?127.'
2019-10-29 00:44:22 +00:00
timeframe : 30s
condition : (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
level : medium