SigmaHQ/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml

45 lines
1.5 KiB
YAML
Raw Normal View History

2019-10-29 00:44:22 +00:00
title: Possible DNS Rebinding
id: eb07e747-2552-44cd-af36-b659ae0958e4
2019-10-29 00:44:22 +00:00
status: experimental
2020-06-16 20:46:08 +00:00
description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
2019-10-29 00:44:22 +00:00
date: 2019/10/25
2020-08-29 00:03:28 +00:00
modified: 2020/08/28
2019-10-29 00:44:22 +00:00
author: Ilyas Ochkov, oscd.community
references:
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
2020-08-29 00:03:28 +00:00
- attack.initial_access
- attack.t1189
2019-10-29 00:44:22 +00:00
logsource:
product: windows
service: sysmon
detection:
dns_answer:
EventID: 22
QueryName: '*'
2020-06-16 20:46:08 +00:00
QueryStatus: '0'
2019-10-29 00:44:22 +00:00
filter_int_ip:
2020-06-16 20:46:08 +00:00
QueryResults|startswith:
- '(::ffff:)?10.'
- '(::ffff:)?192.168.'
- '(::ffff:)?172.16.'
- '(::ffff:)?172.17.'
- '(::ffff:)?172.18.'
- '(::ffff:)?172.19.'
- '(::ffff:)?172.20.'
- '(::ffff:)?172.21.'
- '(::ffff:)?172.22.'
- '(::ffff:)?172.23.'
- '(::ffff:)?172.24.'
- '(::ffff:)?172.25.'
- '(::ffff:)?172.26.'
- '(::ffff:)?172.27.'
- '(::ffff:)?172.28.'
- '(::ffff:)?172.29.'
- '(::ffff:)?172.30.'
- '(::ffff:)?172.31.'
2020-06-16 20:46:08 +00:00
- '(::ffff:)?127.'
2019-10-29 00:44:22 +00:00
timeframe: 30s
condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
level: medium