uberAgent 6.1 Preview: DNS Query Monitoring
While we’re finalizing version 6.1 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at yet another cool new feature: DNS query monitoring.
DNS query monitoring tracks all outgoing DNS requests on the endpoints where uberAgent is installed.
uberAgent DNS query monitoring collects the following information about every DNS query:
- DNS name requested (e.g.,
- DNS response(s) (e.g.,
- DNS response record type (e.g.,
- Name of the process making the query (e.g.,
- GUID of the process making the query
The process GUID can be used to uniquely identify the process instance making the DNS query. By looking the GUID up in other sourcetypes collected by uberAgent, a lot of metadata about the process making the DNS query is readily available, including, but not limited, to:
- Command line
- User account
- Application the process is a part of
- Elevation status
- Parent process
- Authenticode signature status (see announcement blog post)
- Hash of the process image
- Network communications (e.g., target hosts, ports, IPs, amount of data transferred)
DNS query monitoring is a useful technique in any IT security professional’s arsenal. This is because DNS is a base technology nearly all network communications rely on. Factoring in that DNS was designed when the internet was still deemed a safe and trustworthy place, there are multiple aspects of DNS that warrant close inspection.
Any kind of advanced DNS analytics requires reliable information about which process on which endpoint tries to talk to which internet hosts. Some organizations want to be able to identify new domains, others want to be able to match DNS queries with lists of known-bad domains.
Data exfiltration via DNS queries has become quite common. It is a powerful technique for attackers because it does not require a direct network connection between the source and target hosts. Instead, it only requires a working DNS infrastructure.
DNS data exfiltration is a simple technique. It exploits the fact that the DNS query is passed to the entity controlling the target domain’s DNS by embedding the data to be exfiltrated into the DNS name to be resolved.
In a nutshell:
- Victim machine: DNS query for
- DNS server for domain.com: a simple script strips
YOUR-EXFIL-DATAfrom incoming queries
You can find a detailed description in the blog post DNS exfiltration of data: step-by-step simple guide.
On a large number of endpoints, the total count of DNS queries can be staggeringly high. We have taken measures and provide options to keep the data volume in check.
Often, applications query DNS for the same name over and over again. uberAgent detects that repetition and folds identical queries into a single Splunk event. The query count is embedded in the event, too, of course, so that you don’t lose the query’s frequency.
In many cases, it’s OK to exclude high-volume low-risk queries. By doing that you lose a degree of visibility, potentially missing C2, but you also significantly reduce the number of events generated by DNS query monitoring.
uberAgent offers a sophisticated tool to fine-tune which DNS queries to exclude: event data filtering (EDF) on the endpoint. With EDF, the decision whether to exclude an event can be based on any combination of the event’s fields’ content. It allows you to filter events depending on the originating process, on the user account, or regex-match the DNS name queried. More information is available in the blog post announcing event data filtering.
Powerful filtering capabilities are great to have, but creating a production-grade set of filtering rules can be a lot of work. That’s why we did it for you! uberAgent ESA ships with one of the best DNS query filtering rulesets, the list compiled by SwiftOnSecurity as part of their Sysmon configuration.
uberAgent is an innovative Windows and macOS user experience monitoring and endpoint security analytics product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance per website, and remoting protocol insights.
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.