Download from Suspicious Dyndns Hosts

calendar Apr 28, 2026 · attack.command-and-control attack.t1105 attack.t1568  ·
Share on: linkedin copy

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Sigma rule (View on GitHub)

  1title: Download from Suspicious Dyndns Hosts
  2id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
  3status: test
  4description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
  5references:
  6    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
  7author: Florian Roth (Nextron Systems)
  8date: 2017-11-08
  9modified: 2023-05-18
 10tags:
 11    - attack.command-and-control
 12    - attack.t1105
 13    - attack.t1568
 14logsource:
 15    category: proxy
 16detection:
 17    selection:
 18        c-uri-extension:
 19            - 'exe'
 20            - 'vbs'
 21            - 'bat'
 22            - 'rar'
 23            - 'ps1'
 24            - 'doc'
 25            - 'docm'
 26            - 'xls'
 27            - 'xlsm'
 28            - 'pptm'
 29            - 'rtf'
 30            - 'hta'
 31            - 'dll'
 32            - 'ws'
 33            - 'wsf'
 34            - 'sct'
 35            - 'zip'
 36            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
 37        cs-host|endswith:
 38            - '.hopto.org'
 39            - '.no-ip.org'
 40            - '.no-ip.info'
 41            - '.no-ip.biz'
 42            - '.no-ip.com'
 43            - '.noip.com'
 44            - '.ddns.name'
 45            - '.myftp.org'
 46            - '.myftp.biz'
 47            - '.serveblog.net'
 48            - '.servebeer.com'
 49            - '.servemp3.com'
 50            - '.serveftp.com'
 51            - '.servequake.com'
 52            - '.servehalflife.com'
 53            - '.servehttp.com'
 54            - '.servegame.com'
 55            - '.servepics.com'
 56            - '.myvnc.com'
 57            - '.ignorelist.com'
 58            - '.jkub.com'
 59            - '.dlinkddns.com'
 60            - '.jumpingcrab.com'
 61            - '.ddns.info'
 62            - '.mooo.com'
 63            - '.dns-dns.com'
 64            - '.strangled.net'
 65            - '.adultdns.net'
 66            - '.craftx.biz'
 67            - '.ddns01.com'
 68            - '.dns53.biz'
 69            - '.dnsapi.info'
 70            - '.dnsd.info'
 71            - '.dnsdynamic.com'
 72            - '.dnsdynamic.net'
 73            - '.dnsget.org'
 74            - '.fe100.net'
 75            - '.flashserv.net'
 76            - '.ftp21.net'
 77            - '.http01.com'
 78            - '.http80.info'
 79            - '.https443.com'
 80            - '.imap01.com'
 81            - '.kadm5.com'
 82            - '.mysq1.net'
 83            - '.ns360.info'
 84            - '.ntdll.net'
 85            - '.ole32.com'
 86            - '.proxy8080.com'
 87            - '.sql01.com'
 88            - '.ssh01.com'
 89            - '.ssh22.net'
 90            - '.tempors.com'
 91            - '.tftpd.net'
 92            - '.ttl60.com'
 93            - '.ttl60.org'
 94            - '.user32.com'
 95            - '.voip01.com'
 96            - '.wow64.net'
 97            - '.x64.me'
 98            - '.xns01.com'
 99            - '.dyndns.org'
100            - '.dyndns.info'
101            - '.dyndns.tv'
102            - '.dyndns-at-home.com'
103            - '.dnsomatic.com'
104            - '.zapto.org'
105            - '.webhop.net'
106            - '.25u.com'
107            - '.slyip.net'
108    condition: selection
109falsepositives:
110    - Software downloads
111level: medium

References

Related rules

to-top