119 lines
3.9 KiB
YAML
119 lines
3.9 KiB
YAML
title: Possible DNS Rebinding
|
|
author: Ilyas Ochkov, oscd.community
|
|
date: 2019/10/25
|
|
description: Detects several different DNS-answers by one domain with IPs from internal
|
|
and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will
|
|
saved in host cache for a while TTL).
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 22
|
|
SELECTION_10:
|
|
QueryResults: (::ffff:)?172.20.*
|
|
SELECTION_11:
|
|
QueryResults: (::ffff:)?172.21.*
|
|
SELECTION_12:
|
|
QueryResults: (::ffff:)?172.22.*
|
|
SELECTION_13:
|
|
QueryResults: (::ffff:)?172.23.*
|
|
SELECTION_14:
|
|
QueryResults: (::ffff:)?172.24.*
|
|
SELECTION_15:
|
|
QueryResults: (::ffff:)?172.25.*
|
|
SELECTION_16:
|
|
QueryResults: (::ffff:)?172.26.*
|
|
SELECTION_17:
|
|
QueryResults: (::ffff:)?172.27.*
|
|
SELECTION_18:
|
|
QueryResults: (::ffff:)?172.28.*
|
|
SELECTION_19:
|
|
QueryResults: (::ffff:)?172.29.*
|
|
SELECTION_2:
|
|
QueryName: '*'
|
|
SELECTION_20:
|
|
QueryResults: (::ffff:)?172.30.*
|
|
SELECTION_21:
|
|
QueryResults: (::ffff:)?172.31.*
|
|
SELECTION_22:
|
|
QueryResults: (::ffff:)?127.*
|
|
SELECTION_23:
|
|
QueryName: '*'
|
|
SELECTION_24:
|
|
QueryStatus: '0'
|
|
SELECTION_25:
|
|
QueryResults: (::ffff:)?10.*
|
|
SELECTION_26:
|
|
QueryResults: (::ffff:)?192.168.*
|
|
SELECTION_27:
|
|
QueryResults: (::ffff:)?172.16.*
|
|
SELECTION_28:
|
|
QueryResults: (::ffff:)?172.17.*
|
|
SELECTION_29:
|
|
QueryResults: (::ffff:)?172.18.*
|
|
SELECTION_3:
|
|
QueryStatus: '0'
|
|
SELECTION_30:
|
|
QueryResults: (::ffff:)?172.19.*
|
|
SELECTION_31:
|
|
QueryResults: (::ffff:)?172.20.*
|
|
SELECTION_32:
|
|
QueryResults: (::ffff:)?172.21.*
|
|
SELECTION_33:
|
|
QueryResults: (::ffff:)?172.22.*
|
|
SELECTION_34:
|
|
QueryResults: (::ffff:)?172.23.*
|
|
SELECTION_35:
|
|
QueryResults: (::ffff:)?172.24.*
|
|
SELECTION_36:
|
|
QueryResults: (::ffff:)?172.25.*
|
|
SELECTION_37:
|
|
QueryResults: (::ffff:)?172.26.*
|
|
SELECTION_38:
|
|
QueryResults: (::ffff:)?172.27.*
|
|
SELECTION_39:
|
|
QueryResults: (::ffff:)?172.28.*
|
|
SELECTION_4:
|
|
QueryResults: (::ffff:)?10.*
|
|
SELECTION_40:
|
|
QueryResults: (::ffff:)?172.29.*
|
|
SELECTION_41:
|
|
QueryResults: (::ffff:)?172.30.*
|
|
SELECTION_42:
|
|
QueryResults: (::ffff:)?172.31.*
|
|
SELECTION_43:
|
|
QueryResults: (::ffff:)?127.*
|
|
SELECTION_5:
|
|
QueryResults: (::ffff:)?192.168.*
|
|
SELECTION_6:
|
|
QueryResults: (::ffff:)?172.16.*
|
|
SELECTION_7:
|
|
QueryResults: (::ffff:)?172.17.*
|
|
SELECTION_8:
|
|
QueryResults: (::ffff:)?172.18.*
|
|
SELECTION_9:
|
|
QueryResults: (::ffff:)?172.19.*
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
|
|
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
|
|
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
|
|
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
|
|
or SELECTION_21 or SELECTION_22) and (SELECTION_23 and SELECTION_24) and not
|
|
((SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
|
|
or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
|
|
or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
|
|
or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43)))| count(QueryName)
|
|
by ComputerName > 3
|
|
id: eb07e747-2552-44cd-af36-b659ae0958e4
|
|
level: medium
|
|
logsource:
|
|
category: dns_query
|
|
product: windows
|
|
modified: 2020/08/28
|
|
references:
|
|
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
|
|
status: experimental
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1189
|
|
yml_filename: dns_query_possible_dns_rebinding.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
|
|
|