Adversaries may use dynamic DNS (dyndns) services to establish covert communication channels, allowing them to maintain persistent access and exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control infrastructure and disrupt ongoing malicious activities.
YARA Rule
rule network_dyndns {
meta:
author = "x0r"
description = "Communications dyndns network"
version = "0.1"
strings:
$s1 =".no-ip.org"
$s2 =".publicvm.com"
$s3 =".linkpc.net"
$s4 =".dynu.com"
$s5 =".dynu.net"
$s6 =".afraid.org"
$s7 =".chickenkiller.com"
$s8 =".crabdance.com"
$s9 =".ignorelist.com"
$s10 =".jumpingcrab.com"
$s11 =".moo.com"
$s12 =".strangled.com"
$s13 =".twillightparadox.com"
$s14 =".us.to"
$s15 =".strangled.net"
$s16 =".info.tm"
$s17 =".homenet.org"
$s18 =".biz.tm"
$s19 =".continent.kz"
$s20 =".ax.lt"
$s21 =".system-ns.com"
$s22 =".adultdns.com"
$s23 =".craftx.biz"
$s24 =".ddns01.com"
$s25 =".dns53.biz"
$s26 =".dnsapi.info"
$s27 =".dnsd.info"
$s28 =".dnsdynamic.com"
$s29 =".dnsdynamic.net"
$s30 =".dnsget.org"
$s31 =".fe100.net"
$s32 =".flashserv.net"
$s33 =".ftp21.net"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 33 string patterns in its detection logic.
Scenario: System update or patching using a known DYNDNS service
Filter/Exclusion: Exclude traffic to update.dyndns.org or members.dyndns.org associated with legitimate system update tools like rsync, wget, or curl used by IT teams for patch management.
Scenario: Scheduled backup jobs using a DYNDNS IP for remote access
Filter/Exclusion: Exclude traffic to backup.dyndns.org or similar domains used by backup solutions like Veeam, Commvault, or Duplicati during scheduled backup windows.
Scenario: Admin task to reconfigure DYNDNS settings for internal DNS resolution
Filter/Exclusion: Exclude traffic to dyndns.org or no-ip.com from admin workstations during known configuration changes, using source IP ranges or user agents associated with admin tools.
Scenario: Legitimate use of DYNDNS for remote access to internal servers
Filter/Exclusion: Exclude traffic to dynamic-dns.com or freedns.afraid.org from known remote access tools like TeamViewer, AnyDesk, or LogMeIn during scheduled remote support sessions.
Scenario: Use of DYNDNS for internal monitoring tools or IoT devices
Filter/Exclusion: Exclude traffic to dyndns.io or tzo.com from internal monitoring tools like Nagios, Zabbix, or IoT device management platforms during routine checks.