Detect Web Traffic To Dynamic Domain Providers

Description

This search looks for web connections to dynamic DNS providers.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware,

Alert Volume

This search looks for web connections to dynamic DNS providers.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Techniques

Application Layer Protocol

Web Protocols

MITRE Threat Groups

APT18
APT19
APT28
APT32
APT33
APT37
APT38
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
FIN4
Gamaredon Group
Inception
Ke3chang
Lazarus Group
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
Orangeworm
Rancor
Rocke
Sandworm Team
SilverTerrier
Stealth Falcon
TA505
Threat Group-3390
Tropic Trooper
Turla
WIRTE
Wizard Spider

Kill Chain Phases

Command and Control
Actions On Objectives

Data Sources

Web Proxy

   Help

Detect Web Traffic To Dynamic Domain Providers Help

This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, dynamic_dns_providers_default.csv, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\ This search produces fields (isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: IsDynamicDNS, Field: isDynDNS\ Detailed documentation on how to create a new field within Incident Review may be found here: https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details

   Search

Open in Search