Skip to content
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@MHaggis @DavidJBianco
36 lines (21 sloc) 1.08 KB

#C2 via Dynamic DNS

Purpose: Identify potential C2 activity

Data Required

Outgoing logs that contain info about domains visited by internal clients, such as DNS query or HTTP proxy logs.

You will also need a list of dynamic DNS provider domain names.

Collection Considerations


Analysis Techniques Filtering, stack counting


Isolate the log entries that contain domains hosted on dynamic DNS providers. Look for sites visited by a low number of unique hosts (IP addresses). Utilize a lookup or feed of known dynamic DNS (DDNS) domains to query against data in a SIEM or log aggregator.

Other Notes

In many business environments, any access to a dynamic DNS provider may be at least somewhat suspicious.

More Info

You can’t perform that action at this time.