T1568.001 Splunk · SPL

Detect Fast Flux DNS in Splunk

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it, swapped with high frequency using a combination of round-robin IP addressing and short Time-To-Live (TTL) DNS records. The simplest 'single-flux' method involves registering and de-registering addresses as part of the DNS A record list, with an average lifespan of five minutes per IP. The 'double-flux' method additionally rotates the DNS Name Server (NS) records for the zone, providing additional resilience by allowing additional hosts to act as proxies to the true C2 host. Real-world users of this technique include Amadey malware, TA505, gh0st RAT operators, njRAT, menuPass (APT10), and Gamaredon Group.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Sub-technique
T1568.001 Fast Flux DNS
Canonical reference
https://attack.mitre.org/techniques/T1568/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval QueryName=lower(QueryName)
| where isnotnull(QueryName) AND QueryName!=""
| where NOT match(QueryName, "\.(local|internal|corp|lan|home|arpa)$")
| where NOT match(QueryName, "(microsoft\.com|windows\.com|office\.com|azure\.com|live\.com|windowsupdate\.com|msftconnecttest\.com|akamaiedge\.net|cloudfront\.net|fastly\.net|cloudflare\.net|azureedge\.net|trafficmanager\.net|amazonaws\.com)$")
| rex field=QueryResults max_match=50 "(?P<rawIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"
| where isnotnull(rawIP)
| where NOT match(rawIP, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.0\.0\.0|0\.0\.0\.0)")
| bin _time span=1h
| stats
    dc(rawIP) as UniqueIPCount,
    values(rawIP) as IPAddresses,
    count as QueryCount,
    dc(host) as AffectedHosts,
    values(host) as HostList,
    values(Image) as ProcessList,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by _time, QueryName
| where UniqueIPCount >= 5
| where QueryCount >= 3
| eval TLD=mvindex(split(QueryName, "."), -1)
| eval SLD=mvindex(split(QueryName, "."), -2)
| eval SuspiciousTLD=if(match(TLD, "^(tk|pw|cc|ws|top|xyz|ru|cn|info|online|click|link|gq|ml|cf)$"), 1, 0)
| eval ShortSLD=if(len(SLD) <= 8, 1, 0)
| eval HighIPCount=if(UniqueIPCount >= 10, 1, 0)
| eval WideSpread=if(AffectedHosts >= 5, 1, 0)
| eval SuspicionScore=SuspiciousTLD + ShortSLD + HighIPCount + WideSpread
| table _time, QueryName, UniqueIPCount, QueryCount, AffectedHosts, HostList, ProcessList, IPAddresses, TLD, SuspiciousTLD, ShortSLD, SuspicionScore, FirstSeen, LastSeen
| sort - UniqueIPCount SuspicionScore
high severity medium confidence

Detects Fast Flux DNS activity using Sysmon Event ID 22 (DNSEvent) logs collected from Windows endpoints. Groups DNS resolutions by domain and 1-hour time bucket, then identifies domains resolving to 5 or more unique public IP addresses. Uses rex with max_match=50 to extract all IP addresses from the multivalue QueryResults field. A suspicion score is computed from TLD risk, domain length, IP count magnitude, and breadth of affected hosts. RFC1918 private addresses, loopback, and known CDN/Microsoft domains are excluded to reduce false positives.

Data Sources

Network Traffic: DNS ResolutionSysmon Event ID 22 (DNSEvent)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • CDN-backed domains (Cloudflare, Akamai, AWS CloudFront) with geo-distributed anycast IPs — add CDN domain suffixes to the exclusion regex
  • Microsoft 365 and Google Workspace domains returning many IPs for load distribution — extend the NOT match exclusion list with additional SaaS provider domains
  • Internal DNS round-robin for on-premises multi-server applications — allowlist by QueryName pattern matching internal application domains
  • DNS-based global load balancing (GSLB) solutions used by the organization — document expected multi-IP domains and add to exclusion list
  • Threat intelligence sinkhole operators: multiple former C2 domains now resolve to sinkhole IPs operated by different vendors, inflating UniqueIPCount
Download portable Sigma rule (.yml)

Other platforms for T1568.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fast Flux DNS Resolution Pattern Simulation via PowerShell

    Expected signal: Sysmon Event ID 22 (DNSEvent): 15 events with QueryName=example.com, QueryResults containing resolved IP addresses, Image=powershell.exe. Events appear approximately 800ms apart. Sysmon Event ID 1 for powershell.exe process creation with the full command line visible. PowerShell process exits after completion.

  2. Test 2Repeated DNS Resolution via nslookup Loop (Windows cmd.exe)

    Expected signal: Sysmon Event ID 22: 20 DNS query events with QueryName=example.com, Image containing nslookup.exe. Sysmon Event ID 1: nslookup.exe process creation spawned by cmd.exe, repeated 20 times. Windows Security Event ID 4688 (if process command line auditing enabled) for each nslookup.exe invocation. DNS server at 8.8.8.8 will log 20 A record queries from the test host's external IP.

  3. Test 3Fast Flux TTL Inspection via dig Loop (Linux/macOS)

    Expected signal: Linux auditd (if configured for EXECVE syscall auditing): dig process execution events with the command line arguments. Sysmon for Linux (if deployed): Event ID 22 DNS query events for each dig invocation. DNS server logs at 8.8.8.8: 10 A record queries from the test host over 30 seconds. Terminal output displays resolved IPs with TTL values — document the observed TTL range as a baseline for your test domain.

  4. Test 4Windows DNS Client Cache Forensic Inspection for Fast Flux Indicators

    Expected signal: Sysmon Event ID 1: powershell.exe process creation with Get-DnsClientCache in the command line. No network events generated (local read-only operation). Output displays cached DNS A records with their remaining TTL countdown — entries with TTL < 300 seconds from external domains are candidate fast flux indicators. Multiple cache entries for the same domain with different IP addresses (Data field) are definitive evidence of IP rotation.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1568.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1568Dynamic Resolution

Related Sub-techniques

T1568.002Domain Generation AlgorithmsT1568.003DNS Calculation

Related Techniques

T1568Dynamic ResolutionT1568.002Domain Generation AlgorithmsT1071.004DNST1583.001DomainsT1090ProxyT1090.004Domain FrontingT1048Exfiltration Over Alternative ProtocolT1566PhishingT1204.002Malicious File

Same Tactic: Command and Control

Popular Detections