Dynamic Resolution T1568

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Events covered

9 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 8 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (16 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
IsActive2eq 2true
ObservableKey2eq 2domain-name:value, ipv4-addr:value
ObservableValue2is_not_null 2
description2starts_with 2Recorded Future - Threat Hunt
DNSQueryCount1gt 1100
DestinationHostname1contains 1tunnel.ap.ngrok.com, tunnel.au.ngrok.com, tunnel.eu.ngrok.com
DnsQueryTypeName1in 1A, AAAA
DnsResponseCodeName1is_not_null 1
Domain1is_not_null 1
NXDOMAINCount1gt 1200
QueryName1contains 1.
SrcIPs1ge 12
Status1contains 1nxdomain, refused, servfail
count_1gt 1200
dest_ip1is_not_null 1

Top indicator values (107 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
IsActiveeq
true
26
descriptionstarts_with
Recorded Future - Threat Hunt
23
DNSQueryCountgt
100
1
DestinationHostnamecontains
tunnel.ap.ngrok.com
1
DestinationHostnamecontains
tunnel.au.ngrok.com
1
DestinationHostnamecontains
tunnel.eu.ngrok.com
1
DestinationHostnamecontains
tunnel.in.ngrok.com
1
DestinationHostnamecontains
tunnel.jp.ngrok.com
1
DestinationHostnamecontains
tunnel.sa.ngrok.com
1
DestinationHostnamecontains
tunnel.us.ngrok.com
1
DnsQueryTypeNamein
A
1
DnsQueryTypeNamein
AAAA
1
NXDOMAINCountgt
200
1
ObservableKeyeq
domain-name:value
12
ObservableKeyeq
ipv4-addr:value
12
QueryNamecontains
.
1
SrcIPsge
2
1
Statuscontains
nxdomain
1
Statuscontains
refused
1
Statuscontains
servfail
1
count_gt
200
1
dns.question.namewildcard
*.blob.core.windows.net
1
dns.question.namewildcard
*.blob.storage.azure.net
1
dns.question.namewildcard
*.blogspot.com
1
dns.question.namewildcard
*.cdnmegafiles.com
1
dns.question.namewildcard
*.cloud.es.io
1
dns.question.namewildcard
*.devtunnels.ms
1
dns.question.namewildcard
*.elastic-cloud.com
1
dns.question.namewildcard
*.ngrok.io
1
dns.question.namewildcard
*.onedrive.org
1

Exclusions (73 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imagewildcard
?:\program files (x86)\*.exe
1
Imagewildcard
?:\program files\*.exe
1
Imagewildcard
?:\programdata\microsoft\windows defender\platform\*\msmpeng.exe
1
Imagewildcard
?:\users\*\appdata\local\bravesoftware\*\application\brave.exe
1
Imagewildcard
?:\users\*\appdata\local\google\chrome\application\chrome.exe
1
Imagewildcard
?:\users\*\appdata\local\microsoft\onedrive\onedrive.exe
1
Imagewildcard
?:\users\*\appdata\local\powertoys\powertoys.exe
1
Imagewildcard
?:\users\*\appdata\local\programs\fiddler\fiddler.exe
1
Imagewildcard
?:\users\*\appdata\local\programs\opera*\opera.exe
1
Imagewildcard
?:\users\*\appdata\local\vivaldi\application\vivaldi.exe
1
Imagewildcard
?:\users\*\appdata\local\zen browser\zen.exe
1
Imagewildcard
?:\users\*\wavesor software\wavebrowser\wavebrowser.exe
1
Imagewildcard
?:\windows\system32\microsoftedgecp.exe
1
Imagewildcard
?:\windows\system32\mobsync.exe
1
Imagewildcard
?:\windows\system32\smartscreen.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 1 rule

Elastic 1 rule

Kusto 6 rules