1. Home
  2. ATT&CK Techniques
  3. T1568 Dynamic Resolution

T1568 Dynamic Resolution Mappings

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568 Dynamic Resolution
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1568 Dynamic Resolution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568 Dynamic Resolution
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568 Dynamic Resolution
action.malware.vector.Download by malware Downloaded and installed by local malware related-to T1568 Dynamic Resolution
amazon_guardduty Amazon GuardDuty technique_scores T1568 Dynamic Resolution
Comments
GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations. Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1568.002 Domain Generation Algorithms 4
T1568.001 Fast Flux DNS 3
T1568.003 DNS Calculation 3