SigmaHQ/rules/proxy/proxy_download_susp_dyndns.yml

title: Download from Suspicious Dyndns Hosts
id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
status: experimental
description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
author: Florian Roth
date: 2017/11/08
modified: 2020/09/03
references:
    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension: 
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
        r-dns|endswith: 
            - '.hopto.org'
            - '.no-ip.org'
            - '.no-ip.info'
            - '.no-ip.biz'
            - '.no-ip.com'
            - '.noip.com'
            - '.ddns.name'
            - '.myftp.org'
            - '.myftp.biz'
            - '.serveblog.net'
            - '.servebeer.com'
            - '.servemp3.com'
            - '.serveftp.com'
            - '.servequake.com'
            - '.servehalflife.com'
            - '.servehttp.com'
            - '.servegame.com'
            - '.servepics.com'
            - '.myvnc.com'
            - '.ignorelist.com'
            - '.jkub.com'
            - '.dlinkddns.com'
            - '.jumpingcrab.com'
            - '.ddns.info'
            - '.mooo.com'
            - '.dns-dns.com'
            - '.strangled.net'
            - '.adultdns.net'
            - '.craftx.biz'
            - '.ddns01.com'
            - '.dns53.biz'
            - '.dnsapi.info'
            - '.dnsd.info'
            - '.dnsdynamic.com'
            - '.dnsdynamic.net'
            - '.dnsget.org'
            - '.fe100.net'
            - '.flashserv.net'
            - '.ftp21.net'
            - '.http01.com'
            - '.http80.info'
            - '.https443.com'
            - '.imap01.com'
            - '.kadm5.com'
            - '.mysq1.net'
            - '.ns360.info'
            - '.ntdll.net'
            - '.ole32.com'
            - '.proxy8080.com'
            - '.sql01.com'
            - '.ssh01.com'
            - '.ssh22.net'
            - '.tempors.com'
            - '.tftpd.net'
            - '.ttl60.com'
            - '.ttl60.org'
            - '.user32.com'
            - '.voip01.com'
            - '.wow64.net'
            - '.x64.me'
            - '.xns01.com'
            - '.dyndns.org'
            - '.dyndns.info'
            - '.dyndns.tv'
            - '.dyndns-at-home.com'
            - '.dnsomatic.com'
            - '.zapto.org'
            - '.webhop.net'
            - '.25u.com'
            - '.slyip.net'
    condition: selection
fields:
    - cs-ip
    - c-uri
falsepositives:
    - Software downloads
level: medium
tags:
    - attack.defense_evasion
    - attack.command_and_control
    - attack.t1105
    - attack.t1568