legitimate dns changes can be detected in this search. investigate, verify and update the list of provided current answers for the domains in question as appropriate.

Techniques

T1071.004

Sample rules

DNS record changed

source: splunk
technicques:
- T1071.004

Description

The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.

Detection logic


| inputlookup discovered_dns_records 
| rename answer as discovered_answer 
| join domain[
|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query 
| rename DNS.query as query 
| where query!="unknown" 
| rex field=query "(?<domain>\w+\.\w+?)(?:$
|/)"] 
| makemv delim=" " answer 
|  makemv delim=" " type 
| sort -count 
| table count,src,domain,type,query,current_answer,discovered_answer 
| makemv current_answer  
| mvexpand current_answer 
| makemv discovered_answer 
| eval n=mvfind(discovered_answer, current_answer) 
| where isnull(n) 
| `dns_record_changed_filter`