dns hunting fixes

Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml

@@ -1,9 +1,8 @@
 id: 15ae38a2-2e29-48f7-883f-863fb25a5a06
 name: Rare high reverse DNS count
 description: |
-  'Identifies clients with a high reverse DNS counts which could be carrying out scanning activity.
-  Alert is generated if the IP performing such reverse DNS lookups was not seen doing so
-  in the preceding 7-day period.'
+  'Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.
+  Alert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'
 severity: Medium
 requiredDataConnectors:
   - connectorId: DNS

Hunting Queries/DnsEvents/DNS_CommonlyAbusedTLDs.yaml

@@ -1,9 +1,9 @@
 id: 8e9c4680-8c0b-4885-b183-3b09efd8fc2c
-name: DNS commonly abused TLDs
+name: DNS lookups for commonly abused TLDs
 description: |
   'Some top level domains (TLDs) are more commonly associated with malware for a range of 
   reasons - including how easy domains on these TLDs are to obtain. Many of these may be undesirable 
-  from an enterprise policy perspective. 
+  from an enterprise policy perspective. You can update and extend the list of TLD's  you wish to search for.
   The NameCount column provides an initial insight into how widespread the domain usage is across the environment.'
 requiredDataConnectors:
   - connectorId: DNS
@@ -18,7 +18,8 @@ relevantTechniques:
   - T1048
 query: |
 
-  let timeframe = 7d;
+  let timeframe = 7d;\
+  // Add additional TLDs to this list are reuqired.
   let abusedTLD = dynamic(["click", "club", "download",  "xxx", "xyz"]);
   DnsEvents
   | where TimeGenerated >= ago(timeframe) 

Hunting Queries/DnsEvents/DNS_DomainAnomalousLookupIncrease.yaml

@@ -1,11 +1,11 @@
 id: 1d9951b7-51f0-4aa7-af0c-654359aadfff
 name: DNS Domain anomalous lookup increase
 description: |
-  'Checking for a threefold increase or more of Domain lookup per ClientIP for today based on daily average for the previous week. 
-  This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network to a group of systems on the same second level domain.  
+  'Checking for a threefold increase or more of domain lookups per client IP address for the curretn day vs daily average for the previous week. 
+  This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network to a group of systems based on the same second level domain.  
   For example, if one client is sending requests for test1.badguy.com and another client is sending requests for test2.badguy.com, you may not see a high enough count to be interesting. 
   However, a combination of the requests to badguy.com could have a high enough count to be interesting. 
-  This is only Name lookups, so it would be recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the interesting requests.'
+  This is only Name lookups, so it would be recommended to review the Firewall\Webproxy logs in relation to the client IP address making the interesting requests.'
 requiredDataConnectors:
   - connectorId: DNS
     dataTypes:
@@ -31,7 +31,7 @@ query: |
   DnsEvents
   //Setting to startofday so we get 7 days prior to today
   | where TimeGenerated >= startofday(ago(startTime)) and TimeGenerated <= startofday(ago(endTime))
-  | where SubType == "LookupQuery"
+  | where SubType =~ "LookupQuery"
   //getting the associated number of the day of the week so we can map to a given day for later parsing if needed
   | extend DayNumberofWeek = tostring(dayofweek(TimeGenerated))
   //Setting the Day of the week value so that certain days could be excluded if needed
@@ -48,7 +48,7 @@ query: |
   | project StartTimeUtc, EndTimeUtc, ClientIP, Domain, IPAddresses, DailyAvgLookupCountOverLastWeek = count_/numDays 
   | join ( DnsEvents 
   | where TimeGenerated >= startofday(ago(endTime)) 
-  | where SubType == "LookupQuery"
+  | where SubType =~ "LookupQuery"
   | extend Domain = iff(countof(Name,'.') >= 2, strcat(split(Name,'.')[-2], '.',split(Name,'.')[-1]), Name)
   | summarize count() by ClientIP, Domain, IPAddresses 
   | project ClientIP, LookupCountToday = count_, Domain, IPAddresses 

Hunting Queries/DnsEvents/DNS_FullNameAnomalousLookupIncrease.yaml

@@ -1,7 +1,7 @@
 id: 81b478a7-46e2-4f7f-a1aa-aba5e541232b
 name: DNS Full Name anomalous lookup increase
 description: |
-  'Checking for a threefold increase or more of Full Name lookup per ClientIP for today based on daily average for the previous week.  
+  'Checking for a threefold increase or more of Full Name lookup per Client IP for the current day for today vs the daily average for the previous week.  
   This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network.  
   This is only Name lookups, so it would be recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the interesting requests.'
 requiredDataConnectors:
@@ -29,7 +29,7 @@ query: |
   DnsEvents
   //Setting to startofday so we get 7 days prior to today
   | where TimeGenerated >= startofday(ago(startTime)) and TimeGenerated <= startofday(ago(endTime))
-  | where SubType == "LookupQuery"
+  | where SubType =~ "LookupQuery"
   //getting the associated number of the day of the week so we can map to a given day for later parsing if needed
   | extend DayNumberofWeek = tostring(dayofweek(TimeGenerated)) 
   //Setting the Day of the week value so that certain days could be excluded if needed
@@ -45,7 +45,7 @@ query: |
   | project StartTimeUtc, EndTimeUtc, ClientIP, FullNameLookup = Name, IPAddresses, DailyAvgLookupCountOverLastWeek = count_/numDays
   | join ( DnsEvents 
   | where TimeGenerated >= startofday(ago(endTime))
-  | where SubType == "LookupQuery"
+  | where SubType =~ "LookupQuery"
   | summarize count() by ClientIP, FullNameLookup = Name, IPAddresses
   | project ClientIP, LookupCountToday = count_, FullNameLookup, IPAddresses
   )

Hunting Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml

@@ -2,7 +2,7 @@ id: 543e1ec6-ee5e-4368-aaa6-405f0551ba5c
 name: DNS high percentage NXDomain count
 description: |
   'Clients with a high NXDomain count could be indicative of a DGA (cycling through possible C2 domains
-  where most C2s are not live).  Based on quartile precent analysis aglorithm'
+  where most C2s are not live).  Based on quartile precent analysis aglorithm.'
 severity: Medium
 requiredDataConnectors:
   - connectorId: DNS
@@ -23,9 +23,9 @@ query: |
   let excludeTLD = dynamic(["arris","ati","virtusa","unknowndomain","onion","corp","domain","local","localdomain","host","home","gateway","lan",
   "services","hub","domain.name","WirelessAP","Digicom-ADSL","OpenDNS","dlinkrouter","Dlink","ASUS","device","router","Belkin","DHCP","Cisco"]);
   let nxDomainDnsEvents = DnsEvents
-  | where ResultCode == "3" 
+  | where ResultCode == 3 
   | where QueryType in ("A", "AAAA")
-  | where ClientIP != "127.0.0.1"
+  | where ipv4_is_match("127.0.0.1", ClientIP) == False
   | where Name !contains "/"
   | where Name contains "."
   | extend mytld = tostring(split(Name, '.')[-1])
@@ -57,7 +57,7 @@ query: |
   | where TotalNXLookups > IPthreshold 
   | join kind = leftouter (nxDomainDnsEvents
       | where TimeGenerated > ago(timeframe)
-      | summarize domainCount=dcount(Name) by truncatedDomain, ClientIP
+      | summarize domainCount = dcount(Name) by truncatedDomain, ClientIP
       | project SearchList = strcat(truncatedDomain," (",tostring(domainCount),")"), ClientIP
       ) on ClientIP
   | summarize SLDs_DistinctLookups = make_list(SearchList) by ClientIP, TotalNXLookups, IPthreshold
@@ -83,8 +83,8 @@ query: |
   | where TotalNXLookups > GlobalThreshold 
   | join kind = leftouter (nxDomainDnsEvents
       | where TimeGenerated > ago(timeframe)
-      | summarize domainCount=dcount(Name) by truncatedDomain, ClientIP
-      | project truncatedDomain= strcat(truncatedDomain," (",tostring(domainCount),")"), ClientIP
+      | summarize domainCount = dcount(Name) by truncatedDomain, ClientIP
+      | project truncatedDomain = strcat(truncatedDomain," (",tostring(domainCount),")"), ClientIP
       ) on ClientIP
   | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), SLDs_DistinctLookups = make_list(truncatedDomain), UniqueSLDsCount=count(truncatedDomain) by ClientIP, TotalNXLookups, GlobalThreshold
   | sort by TotalNXLookups desc);

Hunting Queries/DnsEvents/DNS_HighReverseDNSCount.yaml

@@ -1,7 +1,7 @@
 id: fda90754-4e22-4bb1-8b99-2bb49a991eae
-name: High reverse DNS count
+name: High reverse DNS count by host
 description: |
-  'Clients with a high reverse DNS count could be carrying out scanning activity'
+  'Clients with a high reverse DNS count could be carrying out reconnaissance or discovery activity.'
 requiredDataConnectors:
   - connectorId: DNS
     dataTypes:
@@ -13,10 +13,10 @@ relevantTechniques:
 query: |
 
   let timeframe = 1d;
-  let nameThreshold = 10;
+  let threshold = 10;
   DnsEvents 
   | where TimeGenerated >= ago(timeframe)
   | where Name contains "in-addr.arpa" 
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), NameCount = dcount(Name), Names = makeset(Name), ClientIPCount = count() by ClientIP
-  | where NameCount > nameThreshold
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), NameCount = dcount(Name), Names = make_set(Name), ClientIPCount = count() by ClientIP
+  | where NameCount > threshold
   | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP

Hunting Queries/DnsEvents/DNS_LongURILookup.yaml

@@ -1,10 +1,11 @@
 id: a0954a17-cc66-4d47-9651-8bf524bbdcc8
-name: Long DNS URI Query
+name: Abnormally long DNS URI queries
 description: |
-  'Length of DNS query can often be an indicator of suspicious activity. Regular domain names lengths are not too large whereas domain name query used 
+  'Length of DNS query can often be an indicator of suspicious activity. Typical domain name lengths are short whereas domain name query used 
   for data exfiltration or tunneling can often be very large in size. This is because they could be encoded using base 64/32 etc. The hunting query looks 
-  for Names that are more than 200 characters in length. Having said that there are also a lot of reputation feeds and some services like Spotify which 
-  used the DNS protocol to send information to external servers . Would need to whitelist these benign services in your environment.'
+  for Names that are more than 150 characters in length. Due to a lot of services using long DNS to communicate via prcodurally generated long domain names
+  this can be prone, so a number of known services are excluded from this query. Additional items might need to be added to this exclusion dependent on your
+  environment.'
 requiredDataConnectors:
   - connectorId: DNS
     dataTypes:
@@ -31,8 +32,8 @@ query: |
   let DomainLookups =
   (
   DnsEvents | where TimeGenerated >= ago(1d)
-  | where SubType == "LookupQuery"
-  | where ClientIP != "127.0.0.1" 
+  | where SubType =~ "LookupQuery"
+  | where ipv4_is_match("127.0.0.1", ClientIP) == False 
   | where Name !endswith ".local" and Name !startswith "_" and Name !startswith "#"
   | where Name !contains "::1"
   | where Name !has "cnr.io" and Name !has "kr0.io" and Name !has "arcticwolf.net" and Name !has "webcfs00.com" and Name !has "barracudabrts.com"and Name !has "trendmicro.com" 

Hunting Queries/DnsEvents/DNS_WannaCry.yaml

@@ -1,8 +1,8 @@
 id: aaf84b80-7764-420c-98eb-239b5e194b3d
 name: DNS Domains linked to WannaCry ransomware campaign
 description: |
-  'Displays client DNS request for any of the known domains linked to #WannaCry.
-  These results may indicate #Wannacry / #Wannacrypt ransomware infection.
+  'Displays client DNS request for any of the known domains linked to WannaCry.
+  These results may indicate Wannacry/Wannacrypt ransomware infection.
   Reference: Domain listing from https://pastebin.com/cRUii32E'
 requiredDataConnectors:
   - connectorId: DNS