Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

ID: T1637
Sub-techniques:  T1637.001
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.1
Created: 05 April 2022
Last Modified: 14 August 2023

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Network Communication

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[1] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[2] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

References