T1568 Dynamic Resolution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownDDNSProviders = dynamic([
    "no-ip.com", "noip.com", "dyndns.org", "dyndns.com", "duckdns.org",
    "changeip.com", "afraid.org", "freedns.afraid.org", "dynv6.com",
    "hopto.org", "ddns.net", "zapto.org", "sytes.net", "redirectme.net",
    "myvnc.com", "servehttp.com", "serveftp.com", "bounceme.net",
    "loseyourip.com", "ooguy.com", "theworkpc.com", "casacam.net",
    "dnsdynamic.org", "myfreeweb.us", "dy.fi", "3utilities.com",
    "blogdns.com", "myftp.org", "myftp.biz", "servegame.com",
    "viewdns.net", "ddnsfree.com", "dnsalias.com", "dyn.com",
    "dtdns.com", "selfip.com", "tzo.com", "dnspark.com"
]);
let BrowserProcesses = dynamic([
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "opera.exe", "brave.exe", "safari.exe", "seamonkey.exe", "waterfox.exe"
]);
let HighRiskProcesses = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "csc.exe",
    "InstallUtil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe",
    "bitsadmin.exe", "certutil.exe", "wmic.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (KnownDDNSProviders)
| where not (InitiatingProcessFileName has_any (BrowserProcesses))
| extend IsHighRiskProcess = InitiatingProcessFileName in~ (HighRiskProcesses)
| extend IsNonStandardPort = RemotePort !in (80, 443)
| extend IsHiddenProcess = (InitiatingProcessFileName =~ "" or isnull(InitiatingProcessFileName))
| extend RiskScore = case(
    IsHighRiskProcess and IsNonStandardPort, 4,
    IsHighRiskProcess, 3,
    IsNonStandardPort, 2,
    IsHiddenProcess, 2,
    1
)
| project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
          RemoteUrl, RemoteIP, RemotePort, ActionType,
          IsHighRiskProcess, IsNonStandardPort, RiskScore
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint Process: Process Creation

Required Tables

DeviceNetworkEvents

False Positives

Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval QueryName=lower(QueryName)
| eval IsDDNSQuery=if(
    match(QueryName, "(no-ip\.com|noip\.com|dyndns\.org|dyndns\.com|duckdns\.org|changeip\.com|afraid\.org|freedns\.afraid\.org|dynv6\.com|hopto\.org|ddns\.net|zapto\.org|sytes\.net|redirectme\.net|myvnc\.com|servehttp\.com|serveftp\.com|bounceme\.net|loseyourip\.com|ooguy\.com|dnsdynamic\.org|myfreeweb\.us|dy\.fi|3utilities\.com|blogdns\.com|servegame\.com|dnsalias\.com|dyn\.com|dtdns\.com|tzo\.com|selfip\.com)"),
    1, 0)
| where IsDDNSQuery=1
| eval Image=lower(Image)
| eval IsBrowserProcess=if(
    match(Image, "(\\\\chrome\.exe$|\\\\firefox\.exe$|\\\\msedge\.exe$|\\\\iexplore\.exe$|\\\\opera\.exe$|\\\\brave\.exe$|\\\\safari\.exe$)"),
    1, 0)
| where IsBrowserProcess=0
| eval IsHighRiskProcess=if(
    match(Image, "(\\\\powershell\.exe$|\\\\pwsh\.exe$|\\\\cmd\.exe$|\\\\wscript\.exe$|\\\\cscript\.exe$|\\\\mshta\.exe$|\\\\rundll32\.exe$|\\\\regsvr32\.exe$|\\\\msbuild\.exe$|\\\\csc\.exe$|\\\\installutil\.exe$|\\\\regasm\.exe$|\\\\bitsadmin\.exe$|\\\\certutil\.exe$|\\\\wmic\.exe$)"),
    1, 0)
| eval RiskScore=case(
    IsHighRiskProcess=1, 3,
    1=1, 1)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, QueryName, QueryType, QueryResults, IsHighRiskProcess, RiskScore
| sort - RiskScore - _time

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval

Elastic Security (EQL)

eql

dns where event.type == "answer" and
  dns.question.name : ("*.no-ip.com","*.noip.com","*.dyndns.org","*.dyndns.com",
                         "*.duckdns.org","*.changeip.com","*.afraid.org","*.freedns.afraid.org",
                         "*.dynv6.com","*.hopto.org","*.ddns.net","*.zapto.org","*.sytes.net",
                         "*.redirectme.net","*.myvnc.com","*.serveftp.com","*.servehttp.com") and
  not process.name : ("svchost.exe","services.exe","lsass.exe","MsMpEng.exe")

high severity medium confidence

Data Sources

DNS Events Network Flow Events

Required Tables

logs-endpoint.events.network-*

False Positives

Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "sourceip" as SourceIP, "DomainName" as Domain,
  "AnswerIP" as ResolvedIP, "Image" as ProcessImage,
  CASE WHEN "DomainName" ILIKE ANY ('%.no-ip.com%','%.noip.com%','%.dyndns.org%','%.duckdns.org%') THEN 8
       WHEN "DomainName" ILIKE ANY ('%.afraid.org%','%.ddns.net%','%.hopto.org%','%.zapto.org%') THEN 7
       ELSE 5 END as RiskScore
FROM events
WHERE category = 'dns'
  AND (
    "DomainName" ILIKE ANY ('%.no-ip.com%','%.noip.com%','%.dyndns.org%','%.dyndns.com%',
                              '%.duckdns.org%','%.changeip.com%','%.afraid.org%','%.freedns.afraid.org%',
                              '%.dynv6.com%','%.hopto.org%','%.ddns.net%','%.zapto.org%',
                              '%.sytes.net%','%.redirectme.net%','%.servehttp.com%','%.serveftp.com%')
  )
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

DNS Server Logs via QRadar DSM

Required Tables

events

False Positives

Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval

Sumo Logic CSE

sql

_sourceCategory=dns/logs OR _sourceCategory=windows/sysmon
| json auto
| where EventID == "22" OR _sourceCategory == "dns/logs"
| eval domain = toLower(coalesce(QueryName, DomainName, ""))
| where domain matches ".*(no-ip\.com|noip\.com|dyndns\.(org|com)|duckdns\.org|changeip\.com|afraid\.org|dynv6\.com|hopto\.org|ddns\.net|zapto\.org|sytes\.net|redirectme\.net|servehttp\.com|serveftp\.com).*"
| eval risk = case(
    domain matches ".*(no-ip\.com|dyndns\.org|duckdns\.org).*", "high",
    domain matches ".*(hopto\.org|zapto\.org|ddns\.net).*", "high",
    true(), "medium")
| table _time, Computer, User, Image, domain, QueryResults, risk
| sort by _time desc

high severity medium confidence

Data Sources

DNS Logs via Sumo Logic Windows Sysmon DNS Events

Required Tables

dns/logs windows/sysmon

False Positives

Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval

Google Chronicle / SecOps

yaral

rule ddns_c2_resolution {
  meta:
    author = "Detection Engineering"
    description = "Detects DNS resolution of DDNS providers used for C2 (T1568)"
    severity = "HIGH"
    tactic = "TA0011"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    re.regex($e.network.dns.questions.name, `(?i)\.(no-ip\.com|noip\.com|dyndns\.(org|com)|duckdns\.org|changeip\.com|afraid\.org|dynv6\.com|hopto\.org|ddns\.net|zapto\.org|sytes\.net|redirectme\.net)$`) nocase

  condition:
    $e
}

high severity medium confidence

Data Sources

DNS Events via Chronicle UDM

Required Tables

NETWORK_DNS

False Positives

Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "DnsRequest"
| DomainName = /(no-ip\.com|noip\.com|dyndns\.(org|com)|duckdns\.org|changeip\.com|afraid\.org|dynv6\.com|hopto\.org|ddns\.net|zapto\.org|sytes\.net|redirectme\.net|servehttp\.com|serveftp\.com)$/i
| eval risk = case {
    DomainName = /(no-ip\.com|dyndns\.org|duckdns\.org)/i : "high";
    DomainName = /(hopto\.org|zapto\.org|ddns\.net)/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, DomainName, IP, ContextBaseFileName, risk
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon DNS Events

Required Tables

DnsRequest

False Positives

Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval

Dynamic Resolution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Command and Control

Popular Detections