LoFP / some users and applications may leverage dynamic dns to reach out to some domains on the internet since dynamic dns by itself is not malicious, however this activity must be verified.

Techniques

• T1189

Sample rules

Detect hosts connecting to dynamic domain providers

• source: splunk
• technicques:
  • T1189

Description

The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the Network_Resolution data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.

Detection logic

| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host 
| `drop_dm_object_name("DNS")` 
| `security_content_ctime(firstTime)` 
| `dynamic_dns_providers` 
| `detect_hosts_connecting_to_dynamic_domain_providers_filter`