Esc
Dynamic Resolution - T1568
(ATT&CK® Technique)
Definition
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1568["Dynamic Resolution"] --> |produces| OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"]; class T1568 OffensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic";
click T1568 href "/offensive-technique/attack/T1568/"; click OutboundInternetDNSLookupTraffic href "/dao/artifact/d3f:OutboundInternetDNSLookupTraffic"; DNSTrafficAnalysis["DNS Traffic Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSTrafficAnalysis["DNS Traffic Analysis"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class DNSTrafficAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSTrafficAnalysis href "/technique/d3f:DNSTrafficAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; DNSAllowlisting["DNS Allowlisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSAllowlisting["DNS Allowlisting"] -.->
| may-isolate | T1568["Dynamic Resolution"] ;
class DNSAllowlisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSAllowlisting href "/technique/d3f:DNSAllowlisting"; DNSDenylisting["DNS Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
DNSDenylisting["DNS Denylisting"] -.->
| may-isolate | T1568["Dynamic Resolution"] ;
class DNSDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click DNSDenylisting href "/technique/d3f:DNSDenylisting"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1568["Dynamic Resolution"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ForwardResolutionDomainDenylisting["Forward Resolution Domain Denylisting"] -.->
| may-isolate | T1568["Dynamic Resolution"] ;
class ForwardResolutionDomainDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ForwardResolutionDomainDenylisting href "/technique/d3f:ForwardResolutionDomainDenylisting"; ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -->
| blocks | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ReverseResolutionIPDenylisting["Reverse Resolution IP Denylisting"] -.->
| may-isolate | T1568["Dynamic Resolution"] ;
class ReverseResolutionIPDenylisting DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ReverseResolutionIPDenylisting href "/technique/d3f:ReverseResolutionIPDenylisting"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1568["Dynamic Resolution"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetDNSLookupTraffic["Outbound Internet DNS Lookup Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1568["Dynamic Resolution"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetDNSLookupTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";