Try in Splunk Security Cloud

Description

Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution
  • Last Updated: 2018-09-06
  • Author: Bhavin Patel, Splunk
  • ID: 8169f17b-ef68-4b59-aae8-586907301221

Narrative

Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender’s analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.

Detections

Name Technique Type
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly

Reference

source | version: 2