1. Home
  2. ATT&CK Techniques
  3. T1568 Dynamic Resolution

T1568 Dynamic Resolution Mappings

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-4 Information Flow Enforcement Protects T1568 Dynamic Resolution
CA-7 Continuous Monitoring Protects T1568 Dynamic Resolution
SC-20 Secure Name/address Resolution Service (authoritative Source) Protects T1568 Dynamic Resolution
SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver) Protects T1568 Dynamic Resolution
SC-22 Architecture and Provisioning for Name/address Resolution Service Protects T1568 Dynamic Resolution
SC-7 Boundary Protection Protects T1568 Dynamic Resolution
SI-3 Malicious Code Protection Protects T1568 Dynamic Resolution
SI-4 System Monitoring Protects T1568 Dynamic Resolution
azure_sentinel Azure Sentinel technique_scores T1568 Dynamic Resolution
Comments
This control only provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
azure_dns_analytics Azure DNS Analytics technique_scores T1568 Dynamic Resolution
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
  1. https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics
alerts_for_dns Alerts for DNS technique_scores T1568 Dynamic Resolution
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1568.002 Domain Generation Algorithms 11
T1568.001 Fast Flux DNS 2