Stories from the SOC – DNS recon + exfiltration

March 12, 2021 | Sumner Meckel

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

Our Managed Threat Detection and Response team responded to an Alarm indicating that suspicious reconnaissance activity was occurring internally from one of our customer's scanners.  This activity was shortly followed by escalating activity involving brute force activity, remote code execution attempts, and exfiltration channel probing attempts all exploiting vulnerable DNS services on the domain controllers.  The analyst was able to alert the customer to the activity before any successful exfiltration activity had taken place and the customer was able to confirm that it was a planned red team exercise.

Investigation

Initial alarm review

The initial alarm came from an Event in Microsoft® Advanced Threat Analytics that detected possible reconnaissance and discovery activity coming from an asset with a naming convention that indicated it was an enterprise scanner.  Scanners frequently have external exposure, are typically easier to brute force against, and host multiple legitimate services like DNS, SMTP, SMB, that can be used to hide malicious activity.

DNS recon alarm details screen

Expanded investigation

Soon after this, brute force activity and remote code execution attempts were reported involving Windows® Management Instrumentation (WMI) exploitation coming from a compromised service account that shared a naming convention with the scanner’s hostname, indicating the scanner and service account were compromised and now pivoting activity was occurring with the attacker attempting to gain further entry into the network.

These remote code execution (RCE) attempts were flagged with behavior associated with a DNS service vulnerability that had known patches available. Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)

  • Vulnerability Reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-058

After the WMI RCE attempts were flagged, multiple assets with naming conventions that matched domain controllers generated alarms by attempting to contact well known external DNS servers. However this activity was also flagged as suspicious since these assets were not configured for DNS services or had previously been associated with DNS activity.

DNS event details

This, combined with the firewall events denying external traffic over port 53, indicated that these servers were not authorized to perform DNS services and that this activity was likely a probing attempt to find methods of exfiltration, such as DNS tunneling.

Response

SOC response to activity

The customer was alerted to the activity by the analyst and was able to confirm that it was part of a planned red team exercise. While this particular example was an internal effort, the customer commended our efforts at detecting the threat and responding quickly.

Sumner Meckel

About the Author: Sumner Meckel

Senior Specialist Sumner Meckel joined MTDR as a founding member of the Austin-based SOC team in November 2019. His previous experience includes desktop and network support for sensitive government contractor sites as well as administering multiple cloud environments for healthcare organizations. When he isn't spending time with his family, Sumner can usually be found trying to learn something new or building something fun (or both!) For Sumner, the best part of working in MTDR is finding and testing OSINT sources to build custom blue-team applications.

Read more posts from Sumner Meckel ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via email

RSS

Get price Free trial