Description
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
Platforms
Sub-Techniques (3)
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort
Restrict Web-Based ContentM1021
In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution.
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G1042 | RedEcho | [RedEcho](https://attack.mitre.org/groups/G1042) used dynamic DNS domains associated with malicious infrastructure.(Citation: RecordedFuture RedEcho 2... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used dynamic DNS services for C2 infrastructure.(Citation: Proofpoint TA2541 February 2022) |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has used dynamic DNS services to set up C2.(Citation: Proofpoint Operation Transparent Trib... |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has used DDNS for C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used Dynamic DNS providers for their malware C2 infrastructure.(Citation: Mandiant APT29 Eye Spy Em... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used Dynamic DNS (DDNS) services, such as FreeDNS or No-IP DDNS, to include servers located in So... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used DDNS services such as DuckDNS, noip[.]com, and con-ip[.]com to redirect victims to sites or... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has incorporated dynamic DNS domains in its infrastructure.(Citation: Unit 42 Gamaredon Febru... |
Associated Software (10)
| ID | Name | Type | Context |
|---|---|---|---|
| S0671 | Tomiris | Malware | [Tomiris](https://attack.mitre.org/software/S0671) has connected to a signalization server that provides a URL and port, and then [Tomiris](https://at... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can use dynamic DNS domain names in C2.(Citation: ESET Gelsemium June 2021) |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) has resolved [Pony](https://attack.mitre.org/software/S0453) C2 server IP addresses by either convertin... |
| S0034 | NETEAGLE | Malware | [NETEAGLE](https://attack.mitre.org/software/S0034) can use HTTP to download resources that contain an IP address and port number pair to connect to f... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has forged POST strings with a random choice from a list of possibilities including "forum", "php", "v... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) can be configured to use dynamic DNS.(Citation: AsyncRAT GitHub) |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has utilized DNS services sslip.io and nip.io to resolve C2 IP addresses.(Citation: Google BRICK... |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) has used dynamic DNS domains in C2 communications.(Citation: Check Point Blind Eagle MAR 2025) |
| S0268 | Bisonal | Malware | [Bisonal](https://attack.mitre.org/software/S0268) has used a dynamic DNS service for C2.(Citation: Talos Bisonal Mar 2020) |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.(C... |
References
- Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
- Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.
Frequently Asked Questions
What is T1568 (Dynamic Resolution)?
T1568 is a MITRE ATT&CK technique named 'Dynamic Resolution'. It belongs to the Command and Control tactic(s). Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorith...
How can T1568 be detected?
Detection of T1568 (Dynamic Resolution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1568?
There are 2 documented mitigations for T1568. Key mitigations include: Network Intrusion Prevention, Restrict Web-Based Content.
Which threat groups use T1568?
Known threat groups using T1568 include: RedEcho, TA2541, Transparent Tribe, BITTER, APT29, Kimsuky, APT-C-36, Gamaredon Group.