Query Details

Dns Requests To Suspicious Tlds

Query

let SuspiciousTLD = externaldata(TLD: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/netcraft-tlds.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents  
| where ActionType == "DnsConnectionInspected"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend DnsQuery = tostring(AdditionalFields.query), ResponseCode = tostring(AdditionalFields.rcode_name), Direction = tostring(AdditionalFields.direction)
| extend TLDArray = split(DnsQuery,'.')
| extend TLD = strcat(".",TLDArray[array_length(TLDArray)-1])
| where Direction == "Out"
| project DeviceName, DnsQuery, ResponseCode, TLDArray, TLD
| join SuspiciousTLD on $left.TLD == $right.TLD

About this query

DNS requests to suspicious TLDs

Description

Zeek network layer signals for MDE includes the DnsConnectionInspected table which provides fruitful information about DNS connections. By taking into account netcraft's top 20 TLDs that are being used for cybercrime, you can hunt for suspicious DNS requests.

References

Microsoft 365 Defender & Microsoft Sentinel

MITRE ATT&CK Mapping

Versioning

VersionDateComments
1.002/09/2023Initial publish

Explanation

The query is looking for suspicious DNS requests by analyzing the DnsConnectionInspected table in Zeek network layer signals. It uses a list of top 20 TLDs known for cybercrime from netcraft.com to identify these suspicious requests. The query filters for DNS connections that are outgoing and then joins the results with the list of suspicious TLDs.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: September 2, 2023

Tables

DeviceNetworkEvents

Keywords

DNSTLDDnsConnectionInspectednetcraftMDEMicrosoft 365 DefenderMicrosoft SentinelDeviceNetworkEventsActionTypeAdditionalFieldsDnsQueryResponseCodeDirectionTLDArrayDeviceNameSuspiciousTLD

Operators

externaldatawithformatignoreFirstRecordletDeviceNetworkEventswhereextendtostringsplitstrcatprojectjoin

MITRE Techniques

Actions

GitHub