some users and applications may leverage dynamic dns to reach out to some domains on the internet since dynamic dns by itself is not malicious, however this activity must be verified.

t1189
endpoint
splunk

Techniques

T1189

Sample rules

Detect hosts connecting to dynamic domain providers

source: splunk
technicques:
- T1189

Description

Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.

Detection logic


| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host 
| `drop_dm_object_name("DNS")` 
| `security_content_ctime(firstTime)` 
| `dynamic_dns_providers` 
| `detect_hosts_connecting_to_dynamic_domain_providers_filter`