T1568 Sumo Logic CSE · Sumo

Detect Dynamic Resolution in Sumo Logic CSE

Adversaries may dynamically establish connections to command and control (C2) infrastructure to evade common detections and remediations. This is achieved using malware that shares a common algorithm with the adversary's infrastructure to dynamically determine communication parameters such as domain names, IP addresses, or port numbers. Sub-techniques include Fast Flux DNS (T1568.001) — where DNS TTLs are kept extremely short and A records rotate through large pools of IPs to resist takedown; Domain Generation Algorithms (T1568.002) — where both adversary infrastructure and malware use the same seeded pseudorandom algorithm to produce hundreds of candidate domains, with only a few registered at any given time; and DNS Calculation (T1568.003) — where DNS responses encode the C2 address directly (e.g., RTM malware converting Bitcoin blockchain data to IP octets). Real-world actors leveraging this technique include APT29, SUNBURST (randomly-generated subdomains within avsvmcloud.com), Gamaredon Group, TA2541, Transparent Tribe, BITTER, Gelsemium, Bisonal, and AsyncRAT operators. Detection focuses on three primary signals: connections to known dynamic DNS providers from non-browser processes, high-frequency DNS resolution bursts characteristic of DGA cycling, and anomalous IP volatility for a single FQDN indicating Fast Flux infrastructure.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1568 Dynamic Resolution
Canonical reference
https://attack.mitre.org/techniques/T1568/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=dns/logs OR _sourceCategory=windows/sysmon
| json auto
| where EventID == "22" OR _sourceCategory == "dns/logs"
| eval domain = toLower(coalesce(QueryName, DomainName, ""))
| where domain matches ".*(no-ip\.com|noip\.com|dyndns\.(org|com)|duckdns\.org|changeip\.com|afraid\.org|dynv6\.com|hopto\.org|ddns\.net|zapto\.org|sytes\.net|redirectme\.net|servehttp\.com|serveftp\.com).*"
| eval risk = case(
    domain matches ".*(no-ip\.com|dyndns\.org|duckdns\.org).*", "high",
    domain matches ".*(hopto\.org|zapto\.org|ddns\.net).*", "high",
    true(), "medium")
| table _time, Computer, User, Image, domain, QueryResults, risk
| sort by _time desc
high severity medium confidence

Detects DDNS provider domain resolutions used for C2 dynamic resolution in Sumo Logic.

Data Sources

DNS Logs via Sumo LogicWindows Sysmon DNS Events

Required Tables

dns/logswindows/sysmon

False Positives & Tuning

  • Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
  • Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine
  • IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment
  • Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval
Download portable Sigma rule (.yml)

Other platforms for T1568

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows - Non-Browser DDNS Resolution via PowerShell

    Expected signal: Sysmon Event ID 22 (DNS Query): Two events with QueryName='atomictest-c2.duckdns.org' and 'atomictest-beacon.ddns.net', Image='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', QueryResults showing NXDOMAIN or resolved IP. Sysmon Event ID 1 (Process Create): powershell.exe with '-NoProfile -Command' command line. DeviceNetworkEvents in MDE: RemoteUrl containing 'duckdns.org' or 'ddns.net' if HTTP-level connection occurs.

  2. Test 2Windows - DGA Simulation: Bulk Algorithmic Subdomain Resolution

    Expected signal: Sysmon Event ID 22: Seven DNS query events in rapid succession from nslookup.exe, QueryName matching 'xj3kp9mq2rtv.dyndns.org' through 'kx9mn3qt7vsc.dyndns.org', QueryResults=NXDOMAIN. Sysmon Event ID 3: UDP connections to 8.8.8.8:53 from nslookup.exe. Sysmon Event ID 1: cmd.exe with the for-loop command and nslookup.exe child processes. Security Event ID 4688 (with command-line auditing enabled).

  3. Test 3Windows - DDNS Update API Callback (Adversary Infrastructure Registration)

    Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='www.duckdns.org', Image='powershell.exe'. Sysmon Event ID 3 (Network Connection): TCP connection to duckdns.org:443, DestinationHostname='www.duckdns.org', Image='powershell.exe'. Sysmon Event ID 1 (Process Create): powershell.exe with '-NoProfile -WindowStyle Hidden' in command line. DeviceNetworkEvents: RemoteUrl='www.duckdns.org', RemotePort=443, InitiatingProcessFileName='powershell.exe'.

  4. Test 4Linux - DDNS Domain Resolution from Shell Process

    Expected signal: Auditd SYSCALL records: execve() calls for 'dig' and 'curl' binaries with full argument lists. Auditd SOCKADDR records (if network rules enabled): UDP connection to 8.8.8.8:53 from dig, TCP connection to ddns.net IP from curl. Syslog: DNS resolution events and connection attempts. If Sysmon for Linux is deployed: Sysmon EventCode 22 (DNS Query) for 'atomictest.hopto.org' and EventCode 3 (Network Connection) for connections to 8.8.8.8 and ddns.net IP. Network flow logs: UDP/53 to 8.8.8.8 from dig PID, TCP/80 to ddns.net IP from curl PID.

Last updated: 2026-03-19 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1568 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1568.001Fast Flux DNST1568.002Domain Generation AlgorithmsT1568.003DNS CalculationT1071.004DNST1071.001Web ProtocolsT1008Fallback ChannelsT1583.001DomainsT1090ProxyT1027Obfuscated Files or InformationT1048Exfiltration Over Alternative Protocol

Same Tactic: Command and Control

Popular Detections