# T1568 Dynamic Resolution

-----------------------------------------------------------------------

## Technique Description

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

## Technique Detection

Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Network Traffic:** Network Connection Creation

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has used dynamic DNS services to set up C2.(Citation: Proofpoint Operation Transparent Tribe March 2016)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.(Citation: Volexity SolarWinds)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has incorporated dynamic DNS domains in its infrastructure.(Citation: Unit 42 Gamaredon February 2022)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.(Citation: Volexity SolarWinds)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1568)

  * [Talos Ccleanup 2017](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html), Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.

  * [Fireeye Poshspy April 2017](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html), Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.

  * [Eset Sednit 2017 Activity](https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/), ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.

  * [Data Driven Security Dga](https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/), Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 23 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will dynamically establish connections to command and control infrastructure to evade common detections and remediations.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| UNC2452 | X | 1 |

#### APT28	
- CHOPSTICK (backdoor used by APT28) can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.

#### APT29	
- MiniDuke (malware used by APT29) can use DGA to generate new Twitter URLs for C2.
- POSHSPY (backdoor used by APT29) uses a DGA to derive command and control URLs from a word list.

#### UNC2452
- UNC2452 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.

## Detection Blindspots

- Based on the data sources cited for this technique, a network analyst may provide better detection results.

## Analytical References
- https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
- https://medium.com/@soji256/how-to-get-a-log-of-dns-queries-with-sysmon-330c62712c05

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Good visibility, but more of an IOC, so implement within Suricata.

- LFA will assist in hunting for this TTP. Suspicious domains can be easily spotted from a exported unique list.

- Narrow your time scope due to the potential amount of DNS traffic on the network.

- Host tools is a better way to hunt this.

- Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms.
    - There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.
    - CDN domains may trigger these detections due to the format of their domain names.
    - In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.

#### Analytic 1

  * **Information:** 'Identify domains being queried '

  * **Source:** 'PCAP, sessions*, Sysmon'

  * **Tool:** 'Arkime, Kibana'

  * **Notes:** 
      - 'Creating Kibana visualations/dashboards will assist in hunting this TTP'
      
      - 'Suggest cCreating a suricata rule to alert on pseudo-random generated characters in a domain'
      
      - 'Checking processes that query dns should be investigated'
      
  * **Arkime Query:** `protocols == dns && host.dns == EXISTS!`
  
  * **Kibana Query:** `event.code: 22`