DNS Tunneling & Other Hunts w/ RockNSM (Bro & ELK) – Perched

Show Us Something Useful

1. ELK + Bro using RockNSM

For this setup, we will use RockNSM. Here are some detailed walkthroughs (skip to video 2 if you are already familiar with spans and taps).

As many of you know, your monitoring infrastructure is a target by attackers, which is why I have chosen RockNSM over other ELK+Bro deployments because of its secure-by-design implementation — which uses SELinux.

2. RockNSM Enrichment

git clone https://github.com/neu5ron/rocknsm-add-enrichment

Now upload the repository to your RockNSM server (if you did not perform the git clone from the server itself).

3. Additional Elasticsearch Configurations

Before we start ingesting new data, with the added enrichment, we need to make sure that these new configurations are applied to the Elasticsearch database.

Add the Elasticsearch mapping template by performing the following:

curl -H 'Content-Type: application/json' -XPUT "http://localhost:9200/_template/bro-domain-names" -d @rocknsm-add-enrichment/elasticsearch/index-mappings/92-bro-domain-names.json;

4. Additional Logstash Configuration

In order to detect the patterns in DNS tunneling/exfil we need to add specific fields for the 1st level domain (aka TLD), and 1st + 2nd level domain (ie: google.com) and 1st + 2nd + 3rd level domain (ie: www.google.com).

The reason for this is because, as shown earlier, DNS tunneling/exfil will create a high volume of unique subdomains. Therefore, we will be performing aggregations on the 1st + 2nd level of the domain.

Also, we want to add other metadata such as length and total levels (ie: counting each “.”).

# Copy logstash file to rocknsm
sudo mv rocknsm-add-enrichment/logstash/conf.d/logstash-816-domain-enrichment-filter.conf /etc/logstash/conf.d/# Give logstash permissions for the file
sudo chown logstash:logstash /etc/logstash/conf.d/logstash-816-domain-enrichment-filter.conf# Change permissions
sudo chmod 640 /etc/logstash/conf.d/logstash-816-domain-enrichment-filter.conf# Restart logstash to implement new configuration
sudo systemctl restart logstash

5. Kibana Visualizations/Dashboards

I have created and shared all the necessary Kibana visualizations/dashboards in order to see and test the detection method for yourself.

First, we need to import the visualizations/dashboards file:
This can be performed in Kibana by, after logging in, going to “Management” then click “Saved Objects” then clicking “Import” and selecting the “rocknsm-add-enrichment/kibana/dns.json” file from the previously collected repository.

Second, we need to refresh the index:
This can be performed in Kibana by, after logging in, going to “Management” then click “Index Patterns” then selecting the “bro-*” index and then clicking the recycle button (“Refresh field list”) in the top right.

Management > “Index Patterns” refresh “bro-*” index.

6. Detection Method

We will aggregate on the 1st + 2nd level domains and look for a high count of unique subdomains.

The test is performed with an injected DNS tunneling PCAP into two of my environments. I will show you how you can do the same on your own network/setup.

Sub aggregations of the unique count of hosts that performed the lookup may aid in detection. For example, 1 host performing a lookup on 4,000 subdomains is a lot more suspicious than 500 hosts performing lookups on 4,000 unique subdomains. Also, sub aggregations on max total length and max number of levels in the domain allow us to make a more informed decision.

PCAP Injection into Live Network

You’ll notice, in this network, that the tunneled domain “chickenkiller[.]com” is nowhere near the domain with the most unique subdomains. In fact, it has 37,424 fewer subdomains!

Combined with only 1 UniqHosts performing the lookup and the ratio of unique subdomains (Unique Domain Names)compared to total lookups (Count) 4,837 / 4,858 (in this case more subdomains than lookups?) we can begin to see some outliers in this domain.

PCAP Injection Into (My) Home Network

Tunneling Highlighted

Clearly, the same tunneled domain stands out far above the rest of the domains.

Also, note in this dashboard that there is a (data table) visualization for domain_1n2n3_name, this is used for domains that would exist for tunneling/exfil living off of something such as co.uk.

That way you could filter out co.uk in the unique 1n2 subdomains but something such as somedomain.co.uk would still appear in this visualization.

How to Inject the PCAP Into Your Network

# Find interface to replay the PCAP to
sudo tcpreplay --listnics# Make sure to use one of the NICs that is listed that is the same as one of the listening NICs in /etc/rocknsm/config.yml under "rock_monifs"
grep -A5 "rock_monifs" /etc/rocknsm/config.yml
# Convert PCAP GZ to regular PCAP for replay
editcap -F pcap rocknsm-add-enrichment/testing/dnscat2.pcap.gz rocknsm-add-enrichment/testing/dnscat2.pcap
# Replay the PCAP, replacing "enp0s8" with your interface determined above
sudo tcpreplay -i enp0s8 -p 1250 rocknsm-add-enrichment/testing/dnscat2.pcap

# You should then see output similar to this
Actual: 10000 packets (1465823 bytes) sent in 7.99 seconds
Rated: 183245.6 Bps, 1.46 Mbps, 1250.12 pps
Flows: 7 flows, 0.87 fps, 9682 flow packets, 318 non-flow
Statistics for network device: enp0s8
Successful packets: 10000
Failed packets: 0
Truncated packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0

Once you have injected the data into your network, wait a minute for the data to refresh and then you can view the detection method by logging into Kibana then going to Dashboard and select the dashboard “DNS Tunneling Detection”.

Dashboard SelectionHow the Dashboard should look

When you are done you can delete the “injected” data from your Elasticsearch/ELK (so we won’t continuously have a false positive from the test data). This will NOT delete any other data you have.

You can either perform this from the CLI or from Kibana “Dev Tools” as shown below:

Delete injected data
POST /bro-*/_delete_by_query
"query": {
"bool": {
"must": [
{ "match": { "domain_1n2n3_name": "sirknightthe.chickenkiller.com" } }

7. Additional Detection/Hunts

Because we added additional metadata/enrichment to our Logstash pipeline, we can detect additional low hanging fruit in DNS, HTTP, and SSL logs.

Detect IDN/Punycode/Emoji Domains

IDN homograph attacks made some news when they were used to trick users when visiting domains they thought were owned by Apple.

domain.is_idn:true OR domain.has_non_ascii:true

IDN/Punycode domains

Detect Domains that are an IP Address in SSL or HTTP

domain.ends_with_int:true AND domain_type:(ssl OR http)

Detect Domains that would not be a valid IP or Domain in SSL or HTTP

domain.has_dot:false AND domain_type:(ssl OR http)

After you try the dashboard and visualizations I would love to hear any feedback and recommendations you may have.


  1. How I found a persistent XSS affecting thousands of career sites
  2. Scanning for Active Directory Privileges & Privileged Accounts
  3. The Journey to Hijacking a Country's DNS - The Hidden Risks of Domain Extensions
  4. Open Source Intelligence Gathering 101 – Appsecco
  5. Defeating the popUp blocker, the XSS filter and SuperNavigate with our fake ticket to the Intranet Zone (Edge) - Broken Browser

原文链接: medium.com