DNS lookup for IP lookup service

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1016-system-network-configuration-discovery

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

IP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.

Strategy

Detect when a DNS lookup is done for a domain belonging to an IP check service.

Triage and response

  1. Determine if {{@process.executable.name}} is expected to make a connection to {{@dns.question.name}}.
  2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.
  3. Start incident response and determine the initial entry point.

Requires Agent version 7.36 or greater