Re: Building a rule to detect malicious domains

NastyaS · 12-15-2023 09:58 AM

Hello everyone,

I'm building the rule that will detects malicious domains, by matching them against VirusTotal.

However, there is a big issue about it.

I ingested 26 logs to Chronicle in order to test the rule.

25 logs contain malicious domains and just one of them is not malicious.

The problem is that my rule detects 22 domains (1 of them is not malicious), but ignoring 4 malicious domains.

Can you please take a look at my rule and tell me if there is something wrong about it?

Thank you in advance!

rule ioc_cisco_umbrella_dns {

meta:

author = "NastyaS"

description = "Detects DNS requests to malicious domains with Cisco Umbrella"

short_description = "Cisco Umbrella alert on DNS Malicous Domains"

severity = "Medium"

priority = "Medium"

status = "Testing"

created_date = "2023-12-11T17:30:00Z"

rule_version = "1.1"

yara_version = "YL2.0"

data_source = "Firewall events"

confidence_threshold = "50"

category = "Traffic"

subcategory = "Local to Remote"

events:

$e.metadata.log_type = "UMBRELLA_DNS"

$e.metadata.event_type = "NETWORK_DNS"

$e.network.application_protocol = "DNS"

$e.network.dns.questions.name = $dns_query

$e.network.dns.questions.name != ""

not $e.network.dns.questions.name in %Safe_domains

not $e.principal.ip in %General_safe_IPs

$e.principal.ip = $ip

// get virus total data

$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"

$vt.graph.metadata.vendor_name = "VirusTotal"

$vt.graph.metadata.product_name = "VirusTotal Relationships"

(

$vt.graph.relations.relationship = "CONTACTS"

and $vt.graph.relations.entity.domain.name = $dns_query

and $vt.graph.relations.entity_type = "DOMAIN_NAME"

)

match:

$dns_query over 10m

outcome:

$risk_score = max(85)

$soar_rule_entities = array_distinct($dns_query)

$network_dns_questions_name = array_distinct($e.network.dns.questions.name)

$principal_ip = array_distinct($e.principal.ip)

condition:

$e and $vt

}

jstoner

A few things that immediately jump to mind to troubleshoot this.

-If you test the rule with just the event (before the vt data), does your umbrella dns data return 22, 25 or 26 events before adding in the VT relationships? Reason I am asking that is to identify the events prior to adding in the join and where the determination of malicious or benign is factored in.

-The use of the VT relationship piece here makes this a little tricky and potentially where the issue is. We are not doing a direct join of your domain to a listing of problematic domains. The join in the rule is looking for domains that are contacted by hashes. If an arbitrary hash connects to one of your domains, then the linkage would be there and you have a detection match. If we don't have a recorded call out to that domain from a VT submitted hash, we wouldn't. That might be part of the reason why we aren't seeing every match. Did you take those domains and search against VT to validate they are all there?

Hope this helps a little bit.

NastyaS

First of all, thank you for your help.

Regarding the questions.

1. Yes, I tested the rule before adding the VT relationships. And it was detecting all 26 events.

2. I searched the domains against the VT and got this result: 25 domains are malicious and 1 of them isn't malicious.

Also, when I ran the rule before adding VirusTotal, only Network_DNS events showed up. So Im not sure which domains were contacted by hashes after using VT relationships.

Is there a way to check it and add hashes to the domains that were not contacted by them?

And why could a non-malicious domain be detected by the rule? Was there a wrong connection between a domain and the hash?

jstoner

A couple of thoughts on your comments hopefully these help at least a
little.

“Also, when I ran the rule before adding VirusTotal, only Network_DNS
events showed up. So Im not sure which domains were contacted by hashes
after using VT relationships.”

The events will be in the detection as expected Was there a separate
section under entities? Doing a direct join from event to entity like event
joining via hash would give you that but since that linkage isn’t there I
don’t know how the engine reacts to that. can you click on columns and look
under graph to add the field where the domains would reside? That said with
the join, it is a direct match 1:1 so having it in the event means it is
also in the relationship otherwise you would not get a detection

Is there a way to check it and add hashes to the domains that were not
contacted by them?

Not sure what you have in mind there. The VT relationship is based on the
hash and the relationship to the domain not the other way around, I don’t
think. It’s reflected in the portal by looking at the hash and seeing the
domains the hash contacts. I’m not sure if you could add them there

And why could a non-malicious domain be detected by the rule? Was there a
wrong connection between a domain and the hash?

This is related to my previous comment. A hash even a malicious one could
connect to a benign domain.
Thanks
-john

*John Stoner*
Principal Security Strategist
Cloud Security

NastyaS

Hello John,

"The events will be in the detection as expected Was there a separate
section under entities?"

When I tested the rule before adding the VT relationships, only the events section was there and no entities section was present. But after having VT in the rule, it returned both sections : events and entities.

"can you click on columns and look
under graph to add the field where the domains would reside?"

Yes, I can see all domains after adding dns_query column.

However, I can also see domains, by adding $dns_query (

$e.network.dns.questions.name = $dns_query) to the match section of the rule.

"The VT relationship is based on the
hash and the relationship to the domain not the other way around, I don’t
think."

Is there a way to search only domains without connecting them to hashes?

Perhaps, using MISP or GCTI instead of VirusTotal?

jstoner

Apologies for the delay in responding...

I'm good on the DNS portion of the rule, gathering lots of umbrella data and doing some event side filtering, all good there.

Regarding your question about searching only domains, while we have WHOIS data in the entity graph, as well as prevalence, we do not currently have data for domains that is adjudicated as being suspicious or malicious that integrates into the rules engine. That's not to say we might not in the future but we do not currently.

We have some domain matching capabilities under the Alerts & IOCs section that might close this gap, and I have a to see how we can push more of these kinds of matches toward alerting on them in the future.

If you had your own MISP data, we could associate your umbrella data with a score within your MISP instance to adjudicate the domain.

Regarding VT hashes and benign domains, here is an example of a hash with a number of engines firing but all contacted domains appear to be good. https://www.virustotal.com/gui/file/000003b8aa1f482d6db037c8749ce91a494eb2e85282363459210b1463a18d8b...

My strong suspicion is that because there are no file hashes in VT associated with those domain, therefore that is why you ended up with 22 hits versus 26.

I realize that may not be quite the answer you are looking for but hopefully sheds some light on what you are seeing and why.

Thanks.

princeptll

The provided YARA rule appears to be a mix of syntax from different detection technologies and might not work as intended for Cisco Umbrella DNS logs. YARA is typically used for file-based pattern matching, while the rule you've written seems to be more in line with a SIEM (Security Information and Event Management) query or rule.

If you're working with Cisco Umbrella logs, you might want to use the Cisco Umbrella Reporting API or log analysis features specific to your environment. Cisco Umbrella generally provides categories and security levels for DNS queries rather than direct access to VirusTotal data in the way your rule is structured.

Here's a more appropriate example for a Cisco Umbrella rule in a SIEM context:

rule malicious_dns {
meta:
author = "NastyaS"
description = "Detects DNS requests to potentially malicious domains with Cisco Umbrella"
severity = "Medium"
rule_version = "1.0"

strings:
$dns_query = "example-malicious-domain.com"
$safe_domains = "example-safe-domain1.com", "example-safe-domain2.com"

condition:
$dns_query and not $dns_query in $safe_domains
}

This simple rule detects DNS requests for a domain specified in the $dns_query string. Adjust the strings and conditions according to your specific use case and the information available in Cisco Umbrella logs.

Keep in mind that the specific fields and conditions you need to check will depend on the structure of the logs provided by Cisco Umbrella. Make sure to refer to the Cisco Umbrella documentation for accurate field names and log formats.

NastyaS

Thank you for the example you gave!

But I used

not $e.network.dns.questions.name in %Safe_domains in the events section and the dns requests are defined as $e.network.dns.questions.name event variable.

I think, the problem here is with the VT relationships. Is there any other vendor I could use to avoid connection to hashes and connect only to domains instead?

For example, MISP or anything else?

princeptll

HEy @NastyaS,

Thank you for your response,

I think I need to study this problem, give me little bit of time because I have also faced this kind of issue.

princeptll

Can you please mail me please problem in detail <PII Removed by Staff>

If its possible ??

NastyaS

Hello @princeptll ,

Sure, I already sent you an email

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Building a rule to detect malicious domains