Techniques
Sample rules
Windows Short Lived DNS Record
- source: splunk
- technicques:
- T1071.004
- T1557.001
- T1187
Description
The following analytic identifies the creation and quick deletion of a DNS object within 300 seconds in an Active Directory environment, indicative of a potential attack abusing DNS. This detection leverages Windows Security Event Codes 5136 and 5137, analyzing the duration between these events. This activity is significant as temporary DNS entries allows attackers to cause unexpecting network trafficking, leading to potential compromise.
Detection logic
`wineventlog_security` ((EventCode=5137 ObjectClass="dnsNode") OR (EventCode=5136 ObjectClass="dnsNode" AttributeLDAPDisplayName="dNSTombstoned" AttributeValue="TRUE"))
| stats min(_time) as firstTime max(_time) as lastTime values(EventCode) as event_codes values(ObjectDN) as dns_record values(SubjectUserName) as user values(Computer) as dest by ObjectGUID
| where mvcount(event_codes)=2
| eval time_diff=lastTime - firstTime
| where time_diff <= 300
| table firstTime, lastTime, dns_record, user, dest, time_diff, ObjectGUID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_short_lived_dns_record_filter`