← ~/DETECTIONS

2024-07-15 // Dylan Evans

Network Connections to Known Dynamic DNS Subdomains

Defender XDR

Detects suspicious network connections to dynamic DNS (DDNS) subdomains often used for lateral movement or evasion.

dnsdynamic-dnslateral-movementsubdomain-abuse

Network Connections to Dynamic DNS Subdomains

Overview

This detection identifies unusual network traffic targeting dynamic DNS subdomains—commonly exploited for lateral movement, credential theft, or evasion by bypassing traditional firewalls. Many of these services offer free or low-cost hosting with weak authentication, making them prime targets for attackers.

Query

DeviceNetworkEvents
| where RemoteUrl matches regex @".*\.(duckdns\.org|publicvm\.com|ddns\.net|hopto\.org|zapto\.org|serveftp\.com|servegame\.com|myftp\.org|myvnc\.com|gotdns\.ch|3utilities\.com|bounceme\.net|freedynamicdns\.org|freedynamicdns\.net|freeddns\.org)$"
| extend DynamicDNSProvider = case(
    RemoteUrl contains "duckdns.org", "DuckDNS",
    RemoteUrl contains "publicvm.com", "PublicVM",
    RemoteUrl contains "ddns.net", "DDNS.net",
    RemoteUrl contains "hopto.org", "No-IP",
    RemoteUrl contains "zapto.org", "No-IP",
    RemoteUrl contains "serveftp.com", "No-IP",
    RemoteUrl contains "servegame.com", "No-IP",
    RemoteUrl contains "myftp.org", "No-IP",
    RemoteUrl contains "myvnc.com", "No-IP",
    RemoteUrl contains "gotdns.ch", "GotDNS",
    RemoteUrl contains "3utilities.com", "3utilities",
    RemoteUrl contains "bounceme.net", "BounceMe",
    RemoteUrl contains "freedynamicdns.org", "FreeDynamicDNS",
    RemoteUrl contains "freedynamicdns.net", "FreeDynamicDNS",
    RemoteUrl contains "freeddns.org", "FreeDDNS",
    "Other"
)
| project Timestamp, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, LocalIP, LocalPort, Protocol, DynamicDNSProvider, ActionType
| sort by Timestamp desc

Logic Explanation

The query filters DeviceNetworkEvents for connections where the remote URL matches a regex pattern of known DDNS subdomains. It categorizes each connection’s provider (e.g., DuckDNS, No-IP) via conditional logic and projects key details like timestamps, initiating processes, and IP addresses. The detection is triggered by any action type (ConnectionSuccess, ConnectionRequest, or ConnectionAttempt), though the commented-out line suggests prioritizing partial/successful connections.

Tuning Notes

  • False positives risk: Legitimate services (e.g., VPNs, backups) may use these subdomains. Consider adding a whitelist of approved domains.

    • Suggestion: Apply a DynamicDNSProvider filter to exclude known benign providers (e.g., !="No-IP").
  • False positives risk: Internal tools or scripts might query DDNS for DNS resolution.

    • Suggestion: Add a LocalIP check to flag only outbound traffic (e.g., | where LocalIP != <internal-range>).

References