#C2 via Dynamic DNS
Purpose: Identify potential C2 activity
Outgoing logs that contain info about domains visited by internal clients, such as DNS query or HTTP proxy logs.
You will also need a list of dynamic DNS provider domain names.
Analysis Techniques Filtering, stack counting
Isolate the log entries that contain domains hosted on dynamic DNS providers. Look for sites visited by a low number of unique hosts (IP addresses). Utilize a lookup or feed of known dynamic DNS (DDNS) domains to query against data in a SIEM or log aggregator.
In many business environments, any access to a dynamic DNS provider may be at least somewhat suspicious.
- Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations, Tim Bandos, Digital Guardian
- www.malwaredomains.com Dynamic DNS domain list, Malwaredomains.com