Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1568 | Dynamic Resolution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1568 | Dynamic Resolution |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control) activity at the network level.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1568 | Dynamic Resolution |
Comments
This diagnostic statement protects against Dynamic Resolution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1568 | Dynamic Resolution | |
| SC-21 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | mitigates | T1568 | Dynamic Resolution | |
| SC-22 | Architecture and Provisioning for Name/Address Resolution Service | mitigates | T1568 | Dynamic Resolution | |
| SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | mitigates | T1568 | Dynamic Resolution | |
| SI-03 | Malicious Code Protection | mitigates | T1568 | Dynamic Resolution | |
| SI-04 | System Monitoring | mitigates | T1568 | Dynamic Resolution | |
| AC-04 | Information Flow Enforcement | mitigates | T1568 | Dynamic Resolution | |
| SC-07 | Boundary Protection | mitigates | T1568 | Dynamic Resolution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_dns | Alerts for DNS | technique_scores | T1568 | Dynamic Resolution |
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
|
| azure_dns_analytics | Azure DNS Analytics | technique_scores | T1568 | Dynamic Resolution |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1568 | Dynamic Resolution |
Comments
GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.
Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1568.002 | Domain Generation Algorithms | 17 |
| T1568.001 | Fast Flux DNS | 5 |
| T1568.003 | DNS Calculation | 3 |