Peekaboo we see GRU (part 3)
Threat intel has value in some cases but we propose that some famous attacks, Solarwinds for example, could have been detected using the following technique.
Could the recent Solarwinds hack been discovered months earlier? We believe the answer is Yes, but it requires some real attention to the details of your DNS traffic and in some cases an Adderall prescription.
Instead of hoping our threat intel provider is sending us perfect global intel and expecting our security / IT staff to update blocklists in a few seconds, what if we added another layer to detect suspicious activity on any windows system?
Original source: solarwinds-threathunt/iocs.csv at master · sophos-cybersecurity/solarwinds-threathunt (github.com)
Before we go into detail of how this works, let’s do a quick test to see if any of the 18 Solarwinds IOCs could have been detected.
We got them! Keep in mind this cc-main-2020*.txt file was created on October 16, 2020, many months before the Solarwinds hack was discovered!
You might assume this txt file contains a list of known malicious domains, but that is not the case at all. This file contains the top 538 million domains from several months ago. We are not interested in domains that are in this file, but Solarwinds IOC domains that are NOT in this file.
Here is a higher def version of the image. https://github.com/hunting4hackers/blog/raw/main/images/part3-2.png
Here is the solarwinds-IOCs.txt file that we used above. Note we searched for exact matches using the regex “$’ symbol and subdomain matches using the “\.” symbols. https://raw.githubusercontent.com/hunting4hackers/blog/main/part3/solarwinds-IOCs.txt
What is commoncrawl.org?
Note this file is almost 8 GB and 37 GB after you unzip it.
Linux is best to “gunzip” this file, but 7zip will also work.
Enable Windows DNS Client Events
In part 1 we included links to help you get Sysmon installed on your windows computer. Now we need to enable another important event source. DNS Client Events. This is a busy event source and we don’t recommend sending all of these events to your SIEM unless you can handle the volume.
If you are wondering why use DNS Client Events and not Sysmon 22 DNS events. We found that this log writes events faster and has more complete coverage of DNS activity.
In order to enable this event source, open up the event viewer, expand “Application and Services Logs” → “Microsoft” → “Windows”. Scroll down to “Dns Client Events”. Right click on “Operational” and select “enable log”.
See this link if you need more information. Steps to enable DNS Query Logging on Windows systems (windowsreport.com)
Additional Awesome Resources
Digging for Gold: Examining DNS Logs on Windows Clients (sans.org)
Maximizing Your Defense with Windows DNS Logging (domaintools.com)