DNS lookup for IP lookup service

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

IP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.

Strategy

Detect when a DNS lookup is done for a domain belonging to an IP check service.

Triage and response

  1. Determine if {{@process.executable.name}} is expected to make a connection to {{@dns.question.name}}.
  2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.
  3. Start incident response and determine the initial entry point.

Requires Agent version 7.36 or greater