This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
The goal of cyber adversaries who compromise an IT environment is to move off of the system that provided an initial foothold and to establish a presence on other, higher value IT assets up to- and including the domain controller. To do that, attackers will try to “footprint” a network. That is: determine what IT assets are deployed in the environment and where. Obtaining a map of IT assets is critical to adversaries’ ability to move laterally within your environment without attracting notice. Identifying and stopping reconnaissance can prevent adversaries from obtaining persistent access to your environment.
In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot one technique for foot-printing target environments: DNS zone transfers.
- Monitoring for DNS zone transfer requests issued from an unknown or unauthorized source is a useful strategy for spotting efforts by malicious actors to map network environments.
- Successful zone transfers can provide malicious actors with vital information that can inform later attacks including domain names, computer names, and IP addresses of sensitive network resources.
- Windows Event ID 6001 (a successful zone transfer was completed) is associated with this activity and should be monitored closely for domain transfers from unauthorized sources.
- QOMPLX Identity Assurance allows users to monitor for transfer requests from unauthorized sources. (Unauthorized sources might be DNS servers not listed among the name server (NS) resource records in their zones or from other than authorized IP addresses.)
How Zone Transfers Footprinting Works:
The Domain Name System (DNS) provides an invaluable service: translating IP addresses into human-friendly domains. Because DNS is a critical function and requires resilience, organizations typically use both primary and redundant (secondary) DNS servers that can process DNS requests in the event that a server becomes unavailable. Zone transfers are critical to the operation of this network: allowing information on a DNS zone to be shared among a number of redundant, DNS servers.
Those zone files, however, contain a wealth of information about your internal IT environment: the DNS domain names used in the environment as well as the names and IP addresses of IT assets deployed within the environment. That information often reveals the purpose of a specific IT asset and, possibly, its physical location as well.
Attackers can obtain that information through fraudulent zone transfers in which an asset controlled by the attacker issues a zone transfer request. Generally, DNS zone transfers are allowed only between servers listed in the name server (NS) resource record of a zone. DNS configurations can also be secured by limiting DNS zone transfers to specific IP addresses in an environment. However, DNS is a standard that is more than three decades old and that was designed as an open protocol. More lax DNS deployments may allow DNS zones to be transmitted to any requesting server.
QOMPLX Identity Assurance (IA) uses windowed detection rules to monitor for Windows Event ID 6001, which indicates a successful zone transfer has completed. The detection can be configured to trigger if the zone transfer came from an unauthorized IP address or server.
Zone transfers represent an easy and quick way for attackers to gather information on your environment. The earlier your organization can detect and respond to early stage malicious activities like suspicious DNS zone transfers, the more likely you are to stop the attacker before damage can be done.
Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.