T1568 - Dynamic Resolution#
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
Atomic Tests:#
Currently, no tests are available for this technique.
Detection#
Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
Shield Active Defense#
Hunting#
Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.
Within the defender’s environments, hunting presupposes a failure of initial prevention or detection, and that an adversary has successfully penetrated a system. In this case defenders hunt for the presence of an adversary. Typically the hunt is informed by intelligence on adversary TTPs and infrastructure. Defenders also hunt adversaries outside the defended environment. Information about the adversary, including their skills, TTPs, and infrastructure can be used to improve defenses or promote better adversary engagement. Defenders also hunt for information about their organization that is available for free or for purchase. Actively researching organizational exposure or inclusion in password dumps, leaks, etc. helps defenders focus on specific detections and proactive countermeasures.
Opportunity#
If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools.
Use Case#
A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.
Procedures#
Pivot on Command and Control information to identify other infrastructure used by the same adversary. Use information about an adversary’s TTPs to perform retroactive searches for any activity that have gone undetected.