Detection rules › Splunk
Detect hosts connecting to dynamic domain providers
The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the Network_Resolution data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1189 Drive-by Compromise |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT DNS.query IN ("-", "unknown") DNS.query="*" BY DNS.answer, DNS.answer_count, DNS.query, DNS.query_count, DNS.reply_code_id, DNS.src, DNS.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: lookup
lookup <lookup> dynamic_dns_domains, isDynDNS_default, query
Stage 5: lookup
lookup <lookup> dynamic_dns_domains, isDynDNS_local, query
Stage 6: eval
eval ... using (isDynDNS_default, isDynDNS_local)
Stage 7: fields
fields isDynDNS_default, isDynDNS_local
Stage 8: search
search isDynDNS=True
Stage 9: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | dns.question.name | in | "-", "unknown" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DNS.query | eq |
|
isDynDNS | eq |
|