← Back to Explore
sigmamediumHunting
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
Detection Query
selection:
c-uri-extension:
- exe
- vbs
- bat
- rar
- ps1
- doc
- docm
- xls
- xlsm
- pptm
- rtf
- hta
- dll
- ws
- wsf
- sct
- zip
cs-host|endswith:
- .hopto.org
- .no-ip.org
- .no-ip.info
- .no-ip.biz
- .no-ip.com
- .noip.com
- .ddns.name
- .myftp.org
- .myftp.biz
- .serveblog.net
- .servebeer.com
- .servemp3.com
- .serveftp.com
- .servequake.com
- .servehalflife.com
- .servehttp.com
- .servegame.com
- .servepics.com
- .myvnc.com
- .ignorelist.com
- .jkub.com
- .dlinkddns.com
- .jumpingcrab.com
- .ddns.info
- .mooo.com
- .dns-dns.com
- .strangled.net
- .adultdns.net
- .craftx.biz
- .ddns01.com
- .dns53.biz
- .dnsapi.info
- .dnsd.info
- .dnsdynamic.com
- .dnsdynamic.net
- .dnsget.org
- .fe100.net
- .flashserv.net
- .ftp21.net
- .http01.com
- .http80.info
- .https443.com
- .imap01.com
- .kadm5.com
- .mysq1.net
- .ns360.info
- .ntdll.net
- .ole32.com
- .proxy8080.com
- .sql01.com
- .ssh01.com
- .ssh22.net
- .tempors.com
- .tftpd.net
- .ttl60.com
- .ttl60.org
- .user32.com
- .voip01.com
- .wow64.net
- .x64.me
- .xns01.com
- .dyndns.org
- .dyndns.info
- .dyndns.tv
- .dyndns-at-home.com
- .dnsomatic.com
- .zapto.org
- .webhop.net
- .25u.com
- .slyip.net
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2017-11-08
Data Sources
proxy
References
Tags
attack.defense-evasionattack.command-and-controlattack.t1105attack.t1568
Raw Content
title: Download from Suspicious Dyndns Hosts
id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
status: test
description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
references:
- https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
author: Florian Roth (Nextron Systems)
date: 2017-11-08
modified: 2023-05-18
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1105
- attack.t1568
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
- '.hopto.org'
- '.no-ip.org'
- '.no-ip.info'
- '.no-ip.biz'
- '.no-ip.com'
- '.noip.com'
- '.ddns.name'
- '.myftp.org'
- '.myftp.biz'
- '.serveblog.net'
- '.servebeer.com'
- '.servemp3.com'
- '.serveftp.com'
- '.servequake.com'
- '.servehalflife.com'
- '.servehttp.com'
- '.servegame.com'
- '.servepics.com'
- '.myvnc.com'
- '.ignorelist.com'
- '.jkub.com'
- '.dlinkddns.com'
- '.jumpingcrab.com'
- '.ddns.info'
- '.mooo.com'
- '.dns-dns.com'
- '.strangled.net'
- '.adultdns.net'
- '.craftx.biz'
- '.ddns01.com'
- '.dns53.biz'
- '.dnsapi.info'
- '.dnsd.info'
- '.dnsdynamic.com'
- '.dnsdynamic.net'
- '.dnsget.org'
- '.fe100.net'
- '.flashserv.net'
- '.ftp21.net'
- '.http01.com'
- '.http80.info'
- '.https443.com'
- '.imap01.com'
- '.kadm5.com'
- '.mysq1.net'
- '.ns360.info'
- '.ntdll.net'
- '.ole32.com'
- '.proxy8080.com'
- '.sql01.com'
- '.ssh01.com'
- '.ssh22.net'
- '.tempors.com'
- '.tftpd.net'
- '.ttl60.com'
- '.ttl60.org'
- '.user32.com'
- '.voip01.com'
- '.wow64.net'
- '.x64.me'
- '.xns01.com'
- '.dyndns.org'
- '.dyndns.info'
- '.dyndns.tv'
- '.dyndns-at-home.com'
- '.dnsomatic.com'
- '.zapto.org'
- '.webhop.net'
- '.25u.com'
- '.slyip.net'
condition: selection
falsepositives:
- Software downloads
level: medium