C2 via Dynamic DNS

Purpose: Identify potential C2 activity

Data Required

Outgoing logs that contain info about domains visited by internal clients, such as DNS query or HTTP proxy logs.

You will also need a list of dynamic DNS provider domain names.

Collection Considerations

None

Analysis Techniques Filtering, stack counting

Description

Isolate the log entries that contain domains hosted on dynamic DNS providers. Look for sites visited by a low number of unique hosts (IP addresses). Utilize a lookup or feed of known dynamic DNS (DDNS) domains to query against data in a SIEM or log aggregator.

Other Notes

In many business environments, any access to a dynamic DNS provider may be at least somewhat suspicious.

More Info

Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations, Tim Bandos, Digital Guardian
www.malwaredomains.com Dynamic DNS domain list, Malwaredomains.com

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dynamic_dns_c2.md

dynamic_dns_c2.md

C2 via Dynamic DNS

Files

dynamic_dns_c2.md

Latest commit

History

dynamic_dns_c2.md

File metadata and controls

C2 via Dynamic DNS