title: Possible DNS Rebinding author: Ilyas Ochkov, oscd.community date: 2019/10/25 description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). detection: SELECTION_1: EventID: 22 SELECTION_10: QueryResults: (::ffff:)?172.20.* SELECTION_11: QueryResults: (::ffff:)?172.21.* SELECTION_12: QueryResults: (::ffff:)?172.22.* SELECTION_13: QueryResults: (::ffff:)?172.23.* SELECTION_14: QueryResults: (::ffff:)?172.24.* SELECTION_15: QueryResults: (::ffff:)?172.25.* SELECTION_16: QueryResults: (::ffff:)?172.26.* SELECTION_17: QueryResults: (::ffff:)?172.27.* SELECTION_18: QueryResults: (::ffff:)?172.28.* SELECTION_19: QueryResults: (::ffff:)?172.29.* SELECTION_2: QueryName: '*' SELECTION_20: QueryResults: (::ffff:)?172.30.* SELECTION_21: QueryResults: (::ffff:)?172.31.* SELECTION_22: QueryResults: (::ffff:)?127.* SELECTION_23: QueryName: '*' SELECTION_24: QueryStatus: '0' SELECTION_25: QueryResults: (::ffff:)?10.* SELECTION_26: QueryResults: (::ffff:)?192.168.* SELECTION_27: QueryResults: (::ffff:)?172.16.* SELECTION_28: QueryResults: (::ffff:)?172.17.* SELECTION_29: QueryResults: (::ffff:)?172.18.* SELECTION_3: QueryStatus: '0' SELECTION_30: QueryResults: (::ffff:)?172.19.* SELECTION_31: QueryResults: (::ffff:)?172.20.* SELECTION_32: QueryResults: (::ffff:)?172.21.* SELECTION_33: QueryResults: (::ffff:)?172.22.* SELECTION_34: QueryResults: (::ffff:)?172.23.* SELECTION_35: QueryResults: (::ffff:)?172.24.* SELECTION_36: QueryResults: (::ffff:)?172.25.* SELECTION_37: QueryResults: (::ffff:)?172.26.* SELECTION_38: QueryResults: (::ffff:)?172.27.* SELECTION_39: QueryResults: (::ffff:)?172.28.* SELECTION_4: QueryResults: (::ffff:)?10.* SELECTION_40: QueryResults: (::ffff:)?172.29.* SELECTION_41: QueryResults: (::ffff:)?172.30.* SELECTION_42: QueryResults: (::ffff:)?172.31.* SELECTION_43: QueryResults: (::ffff:)?127.* SELECTION_5: QueryResults: (::ffff:)?192.168.* SELECTION_6: QueryResults: (::ffff:)?172.16.* SELECTION_7: QueryResults: (::ffff:)?172.17.* SELECTION_8: QueryResults: (::ffff:)?172.18.* SELECTION_9: QueryResults: (::ffff:)?172.19.* condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22) and (SELECTION_23 and SELECTION_24) and not ((SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43)))| count(QueryName) by ComputerName > 3 id: eb07e747-2552-44cd-af36-b659ae0958e4 level: medium logsource: category: dns_query product: windows modified: 2020/08/28 references: - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 status: experimental tags: - attack.initial_access - attack.t1189 yml_filename: dns_query_possible_dns_rebinding.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query