Download from Suspicious Dyndns Hosts

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Sigma rule (View on GitHub)

  1title: Download from Suspicious Dyndns Hosts
  2id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
  3status: test
  4description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
  5references:
  6    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
  7author: Florian Roth (Nextron Systems)
  8date: 2017/11/08
  9modified: 2023/05/18
 10tags:
 11    - attack.defense_evasion
 12    - attack.command_and_control
 13    - attack.t1105
 14    - attack.t1568
 15logsource:
 16    category: proxy
 17detection:
 18    selection:
 19        c-uri-extension:
 20            - 'exe'
 21            - 'vbs'
 22            - 'bat'
 23            - 'rar'
 24            - 'ps1'
 25            - 'doc'
 26            - 'docm'
 27            - 'xls'
 28            - 'xlsm'
 29            - 'pptm'
 30            - 'rtf'
 31            - 'hta'
 32            - 'dll'
 33            - 'ws'
 34            - 'wsf'
 35            - 'sct'
 36            - 'zip'
 37            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
 38        cs-host|endswith:
 39            - '.hopto.org'
 40            - '.no-ip.org'
 41            - '.no-ip.info'
 42            - '.no-ip.biz'
 43            - '.no-ip.com'
 44            - '.noip.com'
 45            - '.ddns.name'
 46            - '.myftp.org'
 47            - '.myftp.biz'
 48            - '.serveblog.net'
 49            - '.servebeer.com'
 50            - '.servemp3.com'
 51            - '.serveftp.com'
 52            - '.servequake.com'
 53            - '.servehalflife.com'
 54            - '.servehttp.com'
 55            - '.servegame.com'
 56            - '.servepics.com'
 57            - '.myvnc.com'
 58            - '.ignorelist.com'
 59            - '.jkub.com'
 60            - '.dlinkddns.com'
 61            - '.jumpingcrab.com'
 62            - '.ddns.info'
 63            - '.mooo.com'
 64            - '.dns-dns.com'
 65            - '.strangled.net'
 66            - '.adultdns.net'
 67            - '.craftx.biz'
 68            - '.ddns01.com'
 69            - '.dns53.biz'
 70            - '.dnsapi.info'
 71            - '.dnsd.info'
 72            - '.dnsdynamic.com'
 73            - '.dnsdynamic.net'
 74            - '.dnsget.org'
 75            - '.fe100.net'
 76            - '.flashserv.net'
 77            - '.ftp21.net'
 78            - '.http01.com'
 79            - '.http80.info'
 80            - '.https443.com'
 81            - '.imap01.com'
 82            - '.kadm5.com'
 83            - '.mysq1.net'
 84            - '.ns360.info'
 85            - '.ntdll.net'
 86            - '.ole32.com'
 87            - '.proxy8080.com'
 88            - '.sql01.com'
 89            - '.ssh01.com'
 90            - '.ssh22.net'
 91            - '.tempors.com'
 92            - '.tftpd.net'
 93            - '.ttl60.com'
 94            - '.ttl60.org'
 95            - '.user32.com'
 96            - '.voip01.com'
 97            - '.wow64.net'
 98            - '.x64.me'
 99            - '.xns01.com'
100            - '.dyndns.org'
101            - '.dyndns.info'
102            - '.dyndns.tv'
103            - '.dyndns-at-home.com'
104            - '.dnsomatic.com'
105            - '.zapto.org'
106            - '.webhop.net'
107            - '.25u.com'
108            - '.slyip.net'
109    condition: selection
110fields:
111    - cs-ip
112    - c-uri
113falsepositives:
114    - Software downloads
115level: medium

References

Related rules

to-top