title: Dynamic Resolution (T1568)
id: df00tech-t1568
status: experimental
description: "Adversaries may dynamically establish connections to command and control (C2) infrastructure to evade common detections and remediations. This is achieved using malware that shares a common algorithm with the adversary's infrastructure to dynamically determine communication parameters such as domain names, IP addresses, or port numbers. Sub-techniques include Fast Flux DNS (T1568.001) — where DNS TTLs are kept extremely short and A records rotate through large pools of IPs to resist takedown; Domain Generation Algorithms (T1568.002) — where both adversary infrastructure and malware use the same seeded pseudorandom algorithm to produce hundreds of candidate domains, with only a few registered at any given time; and DNS Calculation (T1568.003) — where DNS responses encode the C2 address directly (e.g., RTM malware converting Bitcoin blockchain data to IP octets). Real-world actors leveraging this technique include APT29, SUNBURST (randomly-generated subdomains within avsvmcloud.com), Gamaredon Group, TA2541, Transparent Tribe, BITTER, Gelsemium, Bisonal, and AsyncRAT operators. Detection focuses on three primary signals: connections to known dynamic DNS providers from non-browser processes, high-frequency DNS resolution bursts characteristic of DGA cycling, and anomalous IP volatility for a single FQDN indicating Fast Flux infrastructure."
references:
  - https://attack.mitre.org/techniques/T1568/
  - https://df00tech.com/detections/T1568
author: df00tech
date: 2026/03/19
tags:
  - attack.t1568
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Developers or system administrators accessing personal DDNS-registered home lab or remote access infrastructure (common with No-IP or DuckDNS for self-hosted services)
  - "Remote access tools such as TeamViewer, AnyDesk, or VNC clients that use DDNS to locate remote endpoints when the user has configured a DDNS address for their home machine"
  - "IoT management software, IP camera viewers, or NVR clients that connect to consumer DDNS services to locate home surveillance equipment"
  - Network monitoring agents or IT automation tools that use DDNS-hosted endpoints for health check callbacks or configuration retrieval
level: high