2024-07-15 // Dylan Evans
Network Connections to Known Dynamic DNS Subdomains
Defender XDRDetects suspicious network connections to dynamic DNS (DDNS) subdomains often used for lateral movement or evasion.
Network Connections to Dynamic DNS Subdomains
Overview
This detection identifies unusual network traffic targeting dynamic DNS subdomains—commonly exploited for lateral movement, credential theft, or evasion by bypassing traditional firewalls. Many of these services offer free or low-cost hosting with weak authentication, making them prime targets for attackers.
Query
DeviceNetworkEvents
| where RemoteUrl matches regex @".*\.(duckdns\.org|publicvm\.com|ddns\.net|hopto\.org|zapto\.org|serveftp\.com|servegame\.com|myftp\.org|myvnc\.com|gotdns\.ch|3utilities\.com|bounceme\.net|freedynamicdns\.org|freedynamicdns\.net|freeddns\.org)$"
| extend DynamicDNSProvider = case(
RemoteUrl contains "duckdns.org", "DuckDNS",
RemoteUrl contains "publicvm.com", "PublicVM",
RemoteUrl contains "ddns.net", "DDNS.net",
RemoteUrl contains "hopto.org", "No-IP",
RemoteUrl contains "zapto.org", "No-IP",
RemoteUrl contains "serveftp.com", "No-IP",
RemoteUrl contains "servegame.com", "No-IP",
RemoteUrl contains "myftp.org", "No-IP",
RemoteUrl contains "myvnc.com", "No-IP",
RemoteUrl contains "gotdns.ch", "GotDNS",
RemoteUrl contains "3utilities.com", "3utilities",
RemoteUrl contains "bounceme.net", "BounceMe",
RemoteUrl contains "freedynamicdns.org", "FreeDynamicDNS",
RemoteUrl contains "freedynamicdns.net", "FreeDynamicDNS",
RemoteUrl contains "freeddns.org", "FreeDDNS",
"Other"
)
| project Timestamp, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, LocalIP, LocalPort, Protocol, DynamicDNSProvider, ActionType
| sort by Timestamp desc
Logic Explanation
The query filters DeviceNetworkEvents for connections where the remote URL matches a regex pattern of known DDNS subdomains. It categorizes each connection’s provider (e.g., DuckDNS, No-IP) via conditional logic and projects key details like timestamps, initiating processes, and IP addresses. The detection is triggered by any action type (ConnectionSuccess, ConnectionRequest, or ConnectionAttempt), though the commented-out line suggests prioritizing partial/successful connections.
Tuning Notes
False positives risk: Legitimate services (e.g., VPNs, backups) may use these subdomains. Consider adding a whitelist of approved domains.
- Suggestion: Apply a
DynamicDNSProviderfilter to exclude known benign providers (e.g.,!="No-IP").
- Suggestion: Apply a
False positives risk: Internal tools or scripts might query DDNS for DNS resolution.
- Suggestion: Add a
LocalIPcheck to flag only outbound traffic (e.g.,| where LocalIP != <internal-range>).
- Suggestion: Add a
References
- DuckDNS Documentation
- No-IP Dynamic DNS Guide
- MITRE ATT&CK Technique T1568 (DNS Spoofing) and T1047.003 (Pass-the-Hash).