Zeek Alert Details
Alert ID: ZEEK-EXFIL-ALT-PROTO-1048-7842 Alert Time: 2024-03-02 14:15:33 EST Severity: HIGH (88/100) Source: Zeek Network Security Monitor Rule: “Large Data Transfer over DNS – Potential DNS Tunneling” MITRE ATT&CK: T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Alert Details:
Detection: Large volume of DNS queries with encoded data – DNS tunneling
Source: 192.168.45.78 (ENG-WS-045 – Engineering) DNS Server: 8.8.8.8 (Google DNS) Time: 14:00-14:15 EST
DNS Query Pattern:
14:00:15 – TXT query for a1b2c3d4e5f6.evil.com (response: 124 bytes)
14:00:22 – TXT query for g7h8i9j0k1l2.evil.com (response: 118 bytes)
14:00:28 – TXT query for m3n4o5p6q7r8.evil.com (response: 132 bytes)
… (continuing every 5-10 seconds)
Query Analysis:
Domain: *.evil.com (registered 2024-02-28)
Query Type: TXT (returns text data)
Subdomain lengths: 12-16 characters (random)
Response sizes: 100-150 bytes each
Total queries: 847 in 15 minutes
Total data transferred: ~98 KB (exfiltrated data)
Decoded Data Sample (base64 in subdomains):
Subdomain: a1b2c3d4e5f6
Decoded: “UEsDBBQAAAAIAICIF1Yj…” (ZIP header)
Detection Logic:
847 DNS queries in 15 minutes (highly anomalous)
TXT queries with random subdomains (DNS tunneling pattern)
Destination domain suspicious (newly registered)
Response sizes consistent with encoded data
Pattern matches DNS tunneling exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zeek alert
Zeek Logs, Splunk
Confirmed DNS tunneling activity
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
dnscat2.exe (DNS tunneling tool) running
3. Data Analysis
Decode DNS queries
Base64 decoder
Exfiltrated data: ZIP files with documents
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. DNS Blocking
Block evil.com domain
Cisco Umbrella, Palo Alto
Domain blocked
6. Malware Removal
Clean infected host
CrowdStrike Live Response
dnscat2.exe removed; host reimaged
Jira Incident Report
Ticket: SOC-2024-157 Summary: T1048 – DNS Tunneling Exfiltration of 98 KB Data Status: RESOLVED Resolution: MALICIOUS – Exfiltration Detected, Host Cleaned Priority: P2 – MEDIUM Labels: T1048, alternative-protocol, dns-tunneling, exfiltration, zeek, dnscat2 Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zeek Network Security Monitor.
Alert: “Large Data Transfer over DNS – Potential DNS Tunneling”.
Source: ENG-WS-045 (Engineering, user rpatel).
Method: DNS tunneling via TXT queries.
Data: ~98 KB exfiltrated.
Time: 2024-03-02 14:15 EST.
Technique: MITRE ATT&CK T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.
2. Technical Analysis:
Attack Chain:
13:30 – rpatel account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
13:50 – Attacker downloads dnscat2.exe (DNS tunneling tool)
13:55 – Attacker collects sensitive files (ZIP archives)
14:00-14:15 – Exfiltration via DNS tunneling
14:15 – Zeek detects
DNS Tunneling Tool:
Name: dnscat2.exe
SHA256: a1b2c3d4e5f6…
Mechanism: Encodes data in DNS queries (subdomains)
Protocol: DNS over UDP port 53
Server: evil.com (attacker-controlled DNS server)
Exfiltrated Data (98 KB):
Financial reports (2 files) – 45 KB
Customer list (1 file) – 28 KB
Source code snippets (3 files) – 25 KB
Total: 6 files, 98 KB
DNS Query Analysis:
Total Queries: 847 in 15 minutes
Data per Query: ~100-150 bytes
Total Data: ~98 KB
Domain: evil.com (now blocked)
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
13:50 – dnscat2.exe downloaded
13:55 – Data collection
14:00-14:15 – Exfiltration
14:15 – Zeek alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Domain blocked
Indicators of Compromise (IoCs):
Network:
– Domain: evil.com (blocked)
– DNS pattern: 847 TXT queries in 15 minutes
File:
– C:\Windows\Temp\dnscat2.exe (SHA256: a1b2c3d4…)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked evil.com domain at firewall and DNS.
Terminated dnscat2.exe process.
Deleted dnscat2.exe.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (98 KB, 6 files).
Notified affected data owners.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
DNS allowed to external resolvers (8.8.8.8).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: 98 KB of sensitive data exfiltrated (financial, customer, source code).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted DNS to corporate resolvers only (block external DNS).
Enhanced Zeek monitoring for DNS tunneling.
8. Conclusion:
An attacker used DNS tunneling to exfiltrate 98 KB of sensitive data, evading detection by using a non-standard protocol. Zeek detected the anomalous DNS query pattern and enabled rapid containment, though exfiltration had already occurred.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 15:30 EST