Basic Dynamic DNS Detection

Description

Detect outbound communication to Dynamic DNS servers, which are frequently leveraged for command and control by all types of attackers.


Use Case

Security Monitoring, Advanced Threat Detection

Category

Command and Control

Security Impact

Attackers desire flexibility in their command and control capabilities (along with other parts of their infrastructure), and dynamic DNS can provide that flexibility. While there are legitimate uses of dynamic DNS (many IT professionals use it to access home networks), the risks of not monitoring the practice can be significant. Fortunately, between Splunk and a list provided by Malware Domains, finding dynamic DNS in your environment is easy.

Alert Volume

Medium (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Command and Control
Establish & Maintain Infrastructure
Adversary OPSEC

MITRE ATT&CK Techniques

Dynamic DNS
Dynamic DNS
Standard Application Layer Protocol

MITRE Threat Groups

APT1
APT18
APT19
APT28
APT32
APT33
APT37
APT38
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
Dragonfly 2.0
FIN4
FIN6
FIN7
Gamaredon Group
Honeybee
Ke3chang
Lazarus Group
Machete
Magic Hound
Night Dragon
OilRig
Orangeworm
Rancor
SilverTerrier
Stealth Falcon
TEMP.Veles
Threat Group-3390
Turla
WIRTE

Kill Chain Phases

Command and Control

Data Sources

Web Proxy
DNS

   How to Implement

The first step in implementing this detection is to acquire a list of dyndns providers. During our research for this use case, Malware-Domains* seemed to provide a comprehensive list, but there are other lists discoverable from Google*. Once you download a list, you will need to format it to fit the Splunk lookup format:

  1. First, download the file. If you are using Malware-Domains, you can find it here: Malware-Domains Download
  2. Second, clean it and put it into the proper location:
    • Windows

      In notepad, use Find and Replace to change each sequence of "#from..." to ",true" so that they all say things like chickenkiller.com,true. Add the line "domain,inlist" at the top of the file.

    • Linux / OSX:
      echo "domain,inlist" > $SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/lookups/dynamic_dns_lookup.csv && cat dynamic_dns.txt | grep -v "^#" | egrep -v "^\s*$" | sed 's/[^a-zA-Z]*#.*/,true/' >> $SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/lookups/dynamic_dns_lookup.csv

    Once you have the file in place, the rest should move on smoothly!

    * Information regarding third-party sites are provided solely as a convenience to Splunk customers, but Splunk neither controls nor endorses, nor is Splunk responsible for, such sites or any content therein. Customer’s use of the sites is at customer’s own risk and may be subject to additional terms, conditions and policies applicable to such sites (such as license terms, terms of service or privacy policies of the providers of the sites).

       Known False Positives

    Production services that use dynamic DNS, while rare, do happen. Those will cause some base level of false positives, though they should never be business-critical services. The most common scenario for dynamic DNS is for users reaching out to their homes to see their dogs via webcam, or etc. Whether to allow tune out these users (most common) or prohibit that activity is ultimately a policy decision.

       How To Respond

    When this alert fires, look for the common allowable scenarios, particularly that of users who are accessing their home networks (see Known False Positives). If that does not seem to be the case, consult data from Splunk Stream or from your packet capture to determine what type of data was sent, and review the dns name and IP in open source intelligence to see if there is anything of note (though that is often hard for this scenario). If this is a critical host, consider endpoint logging via Microsoft Sysmon that will indicate the process that is creating these connections, or other endpoint response mechanisms.

       Help

    Basic Dynamic DNS Detection Help

    This example leverages the simple search assistant. Our dataset is an collection of outbound network communications, and a lookup of common command and control servers. For this analysis, we are pulling the outbound proxy requests (though you could also use DNS requests), using URL Toolbox to extract just the domain name, and then looking it up in the file pulled from Malware-Domains.

    SPL for Basic Dynamic DNS Detection

    Demo Data

    First we bring in our basic demo dataset, proxy logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
    Because we are looking for dynamic dns providers, we're going to need to separate out subdomains from the registered domain. URL Toolbox is just the tool for this job!
    Next we can use our lookup of ddns domains (see How to Implement). This will add a field called inlist with the value "true" for any matches.
    And finally we can look for those records that are matches.
    With our dataset complete, we just need to arrange the fields to be useful.

    Live Data

    First we bring in our dataset of proxy logs.
    Because we are looking for dynamic dns providers, we're going to need to separate out subdomains from the registered domain. URL Toolbox is just the tool for this job!
    Next we can use our lookup of ddns domains (see How to Implement). This will add a field called inlist with the value "true" for any matches.
    And finally we can look for those records that are matches.
    With our dataset complete, we just need to arrange the fields to be useful.

    Accelerated Data

    This uses tstats to quickly search an accelerated Web Proxy data model.
    To make the search easier to use, we rename the Data Model fields into friendly versions by removing the Web. from the beginning.
    Because we are looking for dynamic dns providers, we're going to need to separate out subdomains from the registered domain. URL Toolbox is just the tool for this job!
    Next we can use our lookup of ddns domains (see How to Implement). This will add a field called inlist with the value "true" for any matches.
    And finally we can look for those records that are matches.
    With our dataset complete, we just need to arrange the fields to be useful.

    Screenshot of Demo Data