Techniques
Sample rules
Detect suspicious DNS TXT records using pretrained model in DSDL
- source: splunk
- technicques:
- T1568.002
Description
The following analytic uses a pre trained deep learning model to detect suspicious DNS TXT records. The model is trained independently and is then made available for download. The DNS TXT records are categorized into commonly identified types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. The TXT records that do not match regular expressions for well known types are labeled as 1 for “unknown/suspicious” and otherwise 0 for “not suspicious”. The deep learning model we have developed uses DNS TXT responses to analyze patterns of character sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, the more likely the DNS TXT record is suspicious. The threshold for flagging a domain as suspicious is set at 0.5.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type
| `drop_dm_object_name("DNS")`
| rename answer as text
| fields firstTime, lastTime, message_type,record_type,src,dest, text
| apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl
| rename predicted_is_unknown as is_suspicious_score
| where is_suspicious_score > 0.5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score
| `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`