Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Validating Microsoft Defender for DNS Alerts
Published Mar 22 2021 08:41 AM 11.4K Views
Microsoft

This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.  This document does not provide you with any legal rights to any intellectual property in any Microsoft product.  You may copy and use this document for your internal, reference purposes.

 

Microsoft Defender for DNS plan provides threat detection for azure resources connected to the Azure DNS, the intent is to detect malicious communication from an Azure resource and malicious DNS servers trying to compromise with an Azure resource. To learn more about Azure Defender for DNS, read our official documentation. You can enable Microsoft Defender for DNS on your subscription via Microsoft Defer for Cloud environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.

 

DNSplan.jpg

 

Now that you have this plan set to ON, you can use the steps below to validate this threat detection:

  1. Provision a new VM and keep the default TCP/IP configuration (by default all VMs will connect to Azure DNS).
  2. Connect to this machine using RDP.
  3. Create a file on this machine called DNSAlertSim.ps1 and paste the content below in this file:

 

 

 

 

 

 

Resolve-DnsName bbcnewsv2vjtpsuy.onion.to
Resolve-DnsName all.mainnet.ethdisco.net
Resolve-DnsName micros0ft.com 
Resolve-DnsName 164e9408d12a701d91d206c6ab192994.info  -ErrorAction Ignore

For($i=0; $i -le 150; $i++) {
$rand = -join ((97..122) | Get-Random -Count 32 | % {[char]$_})
Resolve-DnsName "$rand.com" -ErrorAction Ignore
}

For($i=0; $i -le 1000; $i++) {
$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$rand.contoso.com" -ErrorAction Ignore
}

Resolve-DnsName reseed.i2p-projekt.de 

Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');

 

 

 

 

 

Note: if you receive an error at the end, please ignore, this will not impact the alert generation. 

 

  1. Save this file
  2. Execute DNSAlertSim.ps1

After a few minutes, you should see Microsoft Defender for DNS alerts showing up on your dashboard, similar to the one below:

 

Fig2.JPG

 

For a complete list of all analytics available for Microsoft Defender for DNS, read this documentation.

 

Another alternative to simulate the alert, is to run the following commands in your VM:

 

Resolve-DnsName kcp53.msupdate.us
Resolve-DnsName all.mainnet.ethdisco.net
Resolve-DnsName micros0ft.com
Resolve-DnsName 164e9408d12a701d91d206c6ab192994.info

Note 1: It takes up to 2 hours to onboard the Defender for DNS plan (from when the plan was first enabled in the UI until the first alert can be received).

Note 2: If it's a newly created VM, you need to wait 4 hours for any new alerts to be generated in Defender for DNS. 

Note 3: If you try to run these commands multiple times on the same VM, you will not receive multiple alerts, unless you flush your local DNS using ipconfig /flushdns (using command prompt in the VM itself).

Note 4: It will take a few minutes for the alert to generate in the Defender for Cloud alerts UI once the DNS query was made.

 

Below you have a sample of how the alert will look like:

DNSBlog.JPG

 

Next Steps

Block this attack from occurring through the Logic App here

 

Reviewers

Tal Rosler, Program Manager

Script by John Booth, Senior Software Engineer

 

3 Comments
Version history
Last update:
‎Feb 22 2022 10:10 AM
Updated by: