T1568: Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.

Positive Technologies products that cover the technique

Detection

PT NAD uses machine learning to detect Domain Generation Algorithms (DGAs), which can be used by adversaries to communicate with C2 servers. PT NAD has also rules detecting dynamic DNS (DDNS) services.

Examples of PT NAD detection rules

  • ET POLICY DNS Query to DynDNS Domain *.ddns .net (sid 2028675)
  • ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain (sid 2013744)

Examples of PT NAD filters

  • rpt.cat == "dga"

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Mitigation

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort.

IDM1021NameRestrict Web-Based ContentDescription

In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution.