Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Response: Why is the Domain Reported Different than What was Actually Seen?

CB Response: Why is the Domain Reported Different than What was Actually Seen?

Environment

  • Carbon Black Response Console: All Versions
  • Carbon Black Response Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Question

Why is the domain reported different than what was actually seen?

Answer

There are multiple domains associated with the same IP address where the sensor utilizes the Operating System DNS cache. 

Additional Notes

To give an example:
  1. User goes to www.eicar.org in a browser
  2. This results in a DNS lookup of www.eicar.org
  3. The result of the DNS lookup is the IPv4 address 188.40.238.250
  4. The OS caches the mapping of www.eicar.org with 188.40.238.250 in the Windows DNS cache
  5. The browser then makes a TCP connection to 188.140.238.250
  6. The Carbon Black Response Sensor driver sees the outbound TCP connection to 188.40.238.250 and looks to the Windows DNS cache of the IPv4 addresses to Domain Names from step 4 and reports a netconn with 188.40.238.250(www.eicar.org)
  7. The browser retrieves the content and one or more of the links (images,JS,CSS, etc.) in the page refers to a new destination of analytics.eicar.org
  8. This results in a DNS lookup of analytics.eicar.org at 188.40.238.250. Noting the same IPv4 address as www.eicar.org
  9. After the result in the OS DNS cache:
    1. www.eicar.org == 188.40.238.250
    2. analytics.org == 188.40.238.250
  10. The browser makes an outbound TCP connection to 188.40.238.250
  11. The Carbon Black Response Sensor driver sees the outbount TCP connection to 188.40.238.250, looks in the Windows DNS cache of the IPv4 addresses to domain names from step 9, and reports a netconn with 188.40.238.250(www.eicar.org) only if the browser of choice utilizes a new PID **
  12. Continuing if the browser is closed and re-opened with a new PID
  13. Unlike step 4, the DNS request is satisfied by the OS DNS Cache, since the name to IPv4 address is populated as in step 8 and 9, resulting in NO DNS REQUEST is made.
  14. The browser then makes an outbound request to 188.40.238.250, same as step 10.
  15. The Carbon Black Response Sensor sees the outbound TCP connection to 188.40.238.250 looks in the Windows DNS cache of IPv4 addresses to domain names and finds www.eicar.org. The Carbon Black Response sensor therefore reports a netconn to 188.40.238.250(www.eicar.org)
  • Entries in the Windows DNS cache timeout and get flushed. The Carbon Black Response sensor is dependent upon the state of the Windows DNS cache when reporting the FQDN for netconn events. It may be possible the netconn will be reported with a FQDN that is not the same as previous netconns to the same IP
  • The sensor does cache the DNS lookups from the OS DNS cache and will be checked first to reduce the expense, however the same steps apply in how the FQDN is reported based on what the OS DNS cache has given.
  • **Netconns are throttled, if the same process connects to the same IP/port numerous times only the first connection is reported and repeats are not sent.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
1099
Contributors