Meraki

Community

MX - Suspicious .win dns query

SPRINTERSHIP
Here to help
‎Apr 2 2024 4:36 AM
‎Apr 2 2024 4:36 AM

MX - Suspicious .win dns query

Hello,

Not sure if this is something we should worry about:

Suspicious .win dns query

I have looked at local  DNS(logs enabled) and I don't even see .win queries in the logs. 

 

Labels:
0 Kudos
9 Replies 9
Malwina
Meraki Employee
Meraki Employee
‎Apr 2 2024 4:49 AM
‎Apr 2 2024 4:49 AM

Hi!

This Security rule alerts on DNS queries to .win domains - those are commonly used to try and spoof legitimate websites and trick users into thinking they are the original sites.

From experience it would likely not be something to worry about but it would highly depend on what is the exact source of this query, if it's internal or external and whether you are able to tell what device is behind the source address.  

 

In response to Malwina
SPRINTERSHIP
Here to help
‎Apr 2 2024 5:04 AM
‎Apr 2 2024 5:04 AM

Thanks, I dont see any ".win" request in my local DNS logs so it seems like its external.  Since we use MX is there any way to check these queries in the log and see what device requests it? 

0 Kudos
In response to SPRINTERSHIP
txhomer
Here to help
‎Apr 2 2024 8:22 AM
‎Apr 2 2024 8:22 AM

Go into Organization - Security Center.  Depending on when and how frequent it happen the event may show up under 'Most Prevalent Threats' or 'Threats Across Networks' you can click on it and filter for just that event.  Alternatively you filter for 'snort_rule: 1-44077'.  Once that is filtered you can click on the 'MX Events' tab and that will show you source, destination, network and you can also inspect.download the pcap if you click on event name under the 'Details' column.

0 Kudos
SPRINTERSHIP
Here to help
‎Apr 2 2024 8:41 AM
‎Apr 2 2024 8:41 AM

thanks, I see them now:

my DNS1 or DNS2 to ISP DNS (set up on local DNS servers 1&2) and I see them a lot. I have installed Sysmon on both DC/DNS1&2 but I don't see any .win query.

 

0 Kudos
In response to SPRINTERSHIP
SPRINTERSHIP
Here to help
‎Apr 2 2024 10:17 AM
‎Apr 2 2024 10:17 AM

I have looked through Sysmon logs -22- DNS and don't see anything related to .win on both servers. Just see a bunch of Windows update links to Microsoft so I am not sure if this is false or this real. 

0 Kudos
In response to SPRINTERSHIP
Malwina
Meraki Employee
Meraki Employee
‎Apr 3 2024 5:05 AM
‎Apr 3 2024 5:05 AM

Seeing ".win" would be likely related to Windows updates, ".win" is often associated with Windows backup files.

In response to Malwina
SPRINTERSHIP
Here to help
‎Apr 3 2024 5:10 AM
‎Apr 3 2024 5:10 AM

Thank you Malwina,

That is exactly what I see in my local DNSs servers. A lot sites related to microsoft.com so I believe these are a false alarm. Can I whitelist them? I would prefer not to disable them, but whitelist somehow. 

 

In response to SPRINTERSHIP
Malwina
Meraki Employee
Meraki Employee
‎Apr 8 2024 6:26 AM
‎Apr 8 2024 6:26 AM

There is indeed a possibility to Allowlist these in the Dashboard.
Did you have a chance to look into our documentation on this?
If not, give it a go, I believe it could be helpful 🙂
https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Dealin...


0 Kudos
In response to Malwina
SPRINTERSHIP
Here to help
‎Apr 11 2024 4:41 AM
‎Apr 11 2024 4:41 AM

We run 18.107.2 firmware so I believe we should be runing snort 3. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.