1-6: DNS queries broken out by type for a single week (7 days).
Most of the time, your top three DNS record types are going to be A (what IP address belongs to this domain/hostname?), AAAA (IPv6 A records), and PTR (what domain/hostname belongs to this IP address?) records. If users want to query for multiple specific record types at a time, the clause can be changed to
AND record_type IN ([different DNS record types here]). For example, to search for A, AAAA, PTR, and TXT records, you could change the clause to
AND record_type IN (A, AAAA, PTR, TXT).
The next clause,
AND query IN ([list of comma separated domains, TLDs, or substrings that you want to see results for]), defines a list of top-level domains we would like DNS query results returned for. For example, let’s say I wanted to return all DNS queries to .live, .tk, .gq, .buzz, .cf, .ga, .loa, .fit, and .ml. that query would look like:
AND query IN (*.live, .tk, *.gq, *.buzz, *.cf, *.ga, *.loan, *.fit, *.ml, *.date, *.pw, *.bit, *.club, *.science, *.gq, *.review, *.top, *.stream, *.download).
Threat hunting is a very manual, very human-centric process. The best thing you can do to enable good hunting is break down huge chunks of data and logs into more manageable portions. Having the power to control how big a chunk of DNS data comes back that an analyst has to sift through is huge because it turns a gargantuan task into something manageable–allowing the analyst to see their progress and not feel overwhelmed.
Instead of attempting to look at all DNS queries, you can choose a single less common top-level domain–something like
AND query IN (*.top), or a group of top-level domains as I have specified above. Users can also modify the query look for dynamic DNS queries and sift out high entropy domains from the results as well–maybe try something like
AND query IN (*.ddns.net, *.chickenkiller.com, *.3322.org) to dig for dynamic DNS results.
If you are looking for inspiration on what top-level domains to look for, here are some areas to watch out for that can fuel DNS hunting trips:
- Bad Top Level Domain (TLD) lists – Spamhaus provides a regularly updated top 10 list of the worst TLDs in regards to spam operations. SURBL has a list of abused TLDs that is similar to the Spamhaus list.
- Unusual country code TLDs – Consider some of the country code TLDs: .pw, .cn, .ru, .ga, .gq, .ml, .cf, .su, .ly, etc. This looks especially unusual if your enterprise does not have any international customers or locations. Bear in mind, some trendy sites and startups have a habit of using ccTLDs in order to finish the name of their business–such as bit.ly, bonus.ly, fast.ly, and so on. Websites, such as freenom allow anyone to register a domain name out of a variety of country code TLDs for free, no questions asked.
- Sudden increase in DNS registrations – Resources such as DN Pedia and whoisds allow you to see new DNS registrations. Did you suddenly see a huge jump in .monster domain registrations? It might be a good idea to see if any of your systems have touched that TLD and why.
- Abused dynamic DNS domains – Want to look at dynamic DNS domain queries? Cisco has an interesting (if slightly dated) article on the most abused dynamic DNS domains. Alternatively, a security researcher by the handle “neu5ron” is maintaining a list of known dynamic DNS domains in a github gist. Alternatively, malware-domains.com provides a list of dynamic DNS domains in a zip file, though it appears the zip file hasn’t been updated since 2018.
The next section we come across that differs from the initial query is
search ut_shannon > 3. In a nutshell, this is just setting the Shannon entropy threshold a bit higher from the old value of 2.5. Users can specify a higher or lower number to set the threshold on what this query considers to be a “high entropy” domain name. Setting the number higher excludes more results, but may reveal highly unusual domains, while setting the value lower may result in more benign results to sift through.
The next clause of the query is
eval shannon=round(ut_shannon,2). This portion of the query uses the round calculation of the eval function against the ut_shannon score, renaming it shannon. We tell the round function to round the Shannon entropy score to no more than two decimal places. Rounding to a smaller number of decimal places makes the Shannon entropy score easier to read, and in some cases, it removes duplicate results from this query. For some reason or another, one domain could result in two unique entropy scores, and this was my method of fixing that.