Techniques
Sample rules
Download from Suspicious Dyndns Hosts
- source: sigma
- technicques:
- t1105
- t1568
Description
Detects download of certain file types from hosts with dynamic DNS names (selected list)
Detection logic
condition: selection
selection:
c-uri-extension:
- exe
- vbs
- bat
- rar
- ps1
- doc
- docm
- xls
- xlsm
- pptm
- rtf
- hta
- dll
- ws
- wsf
- sct
- zip
cs-host|endswith:
- .hopto.org
- .no-ip.org
- .no-ip.info
- .no-ip.biz
- .no-ip.com
- .noip.com
- .ddns.name
- .myftp.org
- .myftp.biz
- .serveblog.net
- .servebeer.com
- .servemp3.com
- .serveftp.com
- .servequake.com
- .servehalflife.com
- .servehttp.com
- .servegame.com
- .servepics.com
- .myvnc.com
- .ignorelist.com
- .jkub.com
- .dlinkddns.com
- .jumpingcrab.com
- .ddns.info
- .mooo.com
- .dns-dns.com
- .strangled.net
- .adultdns.net
- .craftx.biz
- .ddns01.com
- .dns53.biz
- .dnsapi.info
- .dnsd.info
- .dnsdynamic.com
- .dnsdynamic.net
- .dnsget.org
- .fe100.net
- .flashserv.net
- .ftp21.net
- .http01.com
- .http80.info
- .https443.com
- .imap01.com
- .kadm5.com
- .mysq1.net
- .ns360.info
- .ntdll.net
- .ole32.com
- .proxy8080.com
- .sql01.com
- .ssh01.com
- .ssh22.net
- .tempors.com
- .tftpd.net
- .ttl60.com
- .ttl60.org
- .user32.com
- .voip01.com
- .wow64.net
- .x64.me
- .xns01.com
- .dyndns.org
- .dyndns.info
- .dyndns.tv
- .dyndns-at-home.com
- .dnsomatic.com
- .zapto.org
- .webhop.net
- .25u.com
- .slyip.net