T1568: Dynamic Resolution
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.
Positive Technologies products that cover the technique
Detection
PT NAD uses machine learning to detect Domain Generation Algorithms (DGAs), which can be used by adversaries to communicate with C2 servers. PT NAD has also rules detecting dynamic DNS (DDNS) services.
Examples of PT NAD detection rules
- ET POLICY DNS Query to DynDNS Domain *.ddns .net (sid 2028675)
- ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain (sid 2013744)
Examples of PT NAD filters
- rpt.cat == "dga"
Subtechniques
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
Mitigation
ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort. |
---|
ID | M1021 | Name | Restrict Web-Based Content | Description | In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution. |
---|