title: Possible DNS Rebinding
status: experimental
description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
date: 2019/10/25
modified: 2019/11/13
author: Ilyas Ochkov, oscd.community
references:
    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
    - attack.command_and_control
    - attack.t1043
logsource:
    product: windows
    service: sysmon
detection:
    dns_answer:
        EventID: 22
        QueryName: '*'
        QueryStatus: '0' 
    filter_int_ip:
        QueryResults|startswith: 
            - '(::ffff:)?10.'
            - '(::ffff:)?192.168.'
            - '(::ffff:)?172.16.'
            - '(::ffff:)?172.17.'
            - '(::ffff:)?172.18.'
            - '(::ffff:)?172.19.'
            - '(::ffff:)?172.20.'
            - '(::ffff:)?172.21.'
            - '(::ffff:)?172.22.'
            - '(::ffff:)?172.23.'
            - '(::ffff:)?172.24.'
            - '(::ffff:)?172.25.'
            - '(::ffff:)?172.26.'
            - '(::ffff:)?172.27.'
            - '(::ffff:)?172.28.'
            - '(::ffff:)?172.29.'
            - '(::ffff:)?172.30.'
            - '(::ffff:)?172.31.'
            - '(::ffff:)?127.'        
    timeframe: 30s
    condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
level: medium