Splunk Alert Details
Alert ID: SPLUNK-NETWORK-RECON-7842
Alert Time: 2024-02-08 13:22:45 EST
Severity: MEDIUM (68/100)
Source: Splunk Enterprise Security Correlation Rule
Rule: “Internal Network Reconnaissance – DNS Query Anomaly”
MITRE ATT&CK: T1590 – Gather Victim Network Information
Alert Details:
Correlation Rule: “Excessive DNS Queries for Internal Hostnames”
Time Window: 13:15 – 13:22 EST (7 minutes)
Source Host: IT-WS-023 (IT Department)
User: tanderson (Tom Anderson, IT Support)
IP: 192.168.120.45
DNS Query Pattern:
– Total queries: 2,847 in 7 minutes
– Query types: A, AAAA, PTR, SRV
– Targets: Sequential hostname enumeration
– dc01.company.com, dc02.company.com, dc03.company.com…
– sql01.company.com, sql02.company.com, sql03.company.com…
– web01.company.com, web02.company.com, web03.company.com…
– fs01.company.com, fs02.company.com, fs03.company.com…
– vcenter01.company.com, esx01.company.com, esx02.company.com…
Detection Logic:
– Baseline: IT-WS-023 averages 50 DNS queries/hour
– Current: 2,847 queries in 7 minutes (488x baseline)
– Pattern: Sequential enumeration of hostname patterns
– Tool signature: “dnsenum” or similar reconnaissance tool
Additional Context:
– User tanderson is in IT department (legitimate network access)
– No change tickets for network scanning/assessment
– No approved security testing scheduled
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify DNS query pattern in Splunk | Splunk ES, DNS Server Logs | Confirmed sequential hostname enumeration |
| 2. Endpoint Investigation | Check process on source host | CrowdStrike Falcon | Found dnsenum.exe running from user’s Downloads folder |
| 3. User Interview | Contact user to understand activity | Teams, Phone | User admitted to running “network discovery tool” for learning |
| 4. Tool Analysis | Analyze dnsenum binary | VirusTotal, Sandbox | Legitimate network reconnaissance tool; no malware |
| 5. Impact Assessment | Check if any network mapping succeeded | DNS Logs, Network Documentation | 847 internal hostnames resolved; network topology exposed |
| 6. Remediation | Remove tool, educate user | CrowdStrike, GPO | Tool removed; user re-trained; policy violation documented |
Jira Incident Report
Ticket: SOC-2024-043
Summary: T1590 – Internal Network Reconnaissance via DNS Enumeration
Status: RESOLVED
Resolution: POLICY VIOLATION – No Malicious Intent
Priority: P3 – LOW
Labels: T1590, network-recon, dns-enumeration, policy-violation, it-department
Components: Network-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Splunk ES correlation rule (DNS query anomaly).
- Alert: “Excessive DNS Queries for Internal Hostnames”.
- Source Host: IT-WS-023 (IT Department, user tanderson).
- Time: 2024-02-08 13:15-13:22 EST.
- Technique: MITRE ATT&CK T1590 – Gather Victim Network Information.
2. Technical Analysis:
- Activity Details:
- Tool Used: dnsenum.pl (Perl script) executed from user’s Downloads folder.
- Command: dnsenum.pl –enum company.com -f subdomains.txt
- Duration: 7 minutes.
- Queries: 2,847 DNS queries.
- Pattern: Sequential enumeration of common hostname patterns (dc, sql, web, fs, vcenter, esx).
- Results:
- Resolved Hostnames: 847 internal hostnames identified.
- Information Gathered: Internal naming conventions, server roles, IP addresses.
- Network Topology Exposed: Domain controllers, SQL servers, file servers, VMware infrastructure.
- User Intent:
- User admitted to running tool for “learning about network discovery techniques.”
- No malicious intent; preparing for a security presentation.
- Unaware that unauthorized network reconnaissance violates policy.
3. Investigation Findings:
- Timeline:
13:15 – User executes dnsenum.pl from Downloads folder
13:15-13:22 – DNS enumeration runs, generating 2,847 queries
13:22 – Splunk correlation alert triggers
13:25 – SOC begins investigation
13:30 – User contacted by manager
13:45 – Tool removed, user educated
- Indicators of Compromise (IoCs):
Host:
– Process: dnsenum.pl
– File: C:\Users\tanderson\Downloads\dnsenum.pl
Network:
– DNS queries for sequential hostname patterns
4. Containment Actions:
- Immediate Actions:
- Removed dnsenum.pl from workstation.
- Cleared DNS cache.
- Documented policy violation.
- User Education:
- User required to complete security awareness training.
- Policy violation documented with HR.
5. Root Cause Analysis:
- Primary Cause: User’s lack of awareness about network scanning policy.
- Contributing Factors:
- No technical controls blocking reconnaissance tools.
- Insufficient training on acceptable use policies.
- Curiosity about network security without authorization.
6. Business Impact:
- Data Exposure: Internal network topology information exposed to user (already had legitimate access).
- Risk: Information could be used for further attacks if obtained by malicious actor (not applicable here).
- Compliance: No regulatory impact.
7. Remediation & Prevention:
Completed Actions:
Tool removed from workstation.
User re-trained.
Policy violation documented.
Technical Controls Enhanced:
Added application control to block dnsenum and similar tools.
Enhanced monitoring for DNS enumeration patterns.
Created automated alert for excessive DNS queries.
8. Conclusion:
This incident involved an IT employee conducting unauthorized network reconnaissance using DNS enumeration tools. While no malicious intent was found, the activity violated policy and exposed internal network topology. User education and technical controls have been enhanced.
Closure Rationale: Policy violation addressed; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 14:30 EST