forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dynamic_dns.yml
32 lines (32 loc) · 1.65 KB
/
dynamic_dns.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: Dynamic DNS
id: 8169f17b-ef68-4b59-aae8-586907301221
version: 2
date: '2018-09-06'
author: Bhavin Patel, Splunk
description: Detect and investigate hosts in your environment that may be communicating
with dynamic domain providers. Attackers may leverage these services to help them
avoid firewall blocks and deny lists.
narrative: Dynamic DNS services (DDNS) are legitimate low-cost or free services that
allow users to rapidly update domain resolutions to IP infrastructure. While their
usage can be benign, malicious actors can abuse DDNS to host harmful payloads or
interactive-command-and-control infrastructure. These attackers will manually update
or automate domain resolution changes by routing dynamic domains to IP addresses
that circumvent firewall blocks and deny lists and frustrate a network defender's
analytic and investigative processes. These searches will look for DNS queries made
from within your infrastructure to suspicious dynamic domains and then investigate
more deeply, when appropriate. While this list of top-level dynamic domains is not
exhaustive, it can be dynamically updated as new suspicious dynamic domains are
identified.
references:
- https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
- https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/
- http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/
- https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring