Skip to content

DET0485 Detection Strategy for Dynamic Resolution using Fast Flux DNS

Item Value
ID DET0485
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1568.001 (Fast Flux DNS)

Analytics

Windows

AN1331

Identify repeated DNS resolutions where the same domain name returns multiple IPs in short succession, combined with low TTL values and high query volume from unusual processes. Correlate with process lineage (e.g., Office apps spawning abnormal DNS lookups).

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Security EventCode=1
Mutable Elements
Field Description
DNSQueryBurstThreshold Number of unique IPs returned per domain in a short window
TimeWindow Adjust correlation timeframe for fast flux detection (e.g., 5–10 minutes)

Linux

AN1332

Monitor resolver logs and auditd events for domains resolving to a rotating set of IPs within very short TTL intervals. Correlate high query rates from non-browser applications (e.g., python, curl).

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) auditd:SYSCALL socket/connect
Mutable Elements
Field Description
TTLThreshold Minimum TTL value considered suspicious (e.g., < 60 seconds)
DomainReputationFeed External TI feed to exclude benign CDN or load balancer behavior

macOS

AN1333

Use unified logs to identify processes issuing repeated DNS queries where the resolved IP addresses change frequently within very short TTL values. Correlate with outbound network traffic to validate C2-like patterns.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:unifiedlog Rapid domain-to-IP resolution changes for same domain
Process Creation (DC0032) macos:unifiedlog Unexpected apps generating frequent DNS queries
Mutable Elements
Field Description
DNSRotationRate Rate of IP churn per domain to trigger detection
NewDomainThreshold Flag if domain was registered recently (e.g., < 30 days)

ESXi

AN1334

Monitor ESXi syslog and esxcli outputs for abnormal DNS resolver behavior, such as frequent domain-to-IP changes or unauthorized modifications of DNS settings used by management agents. Correlate domain lookups with short TTL values.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:syslog Frequent DNS resolution of same domain with rotating IPs
Mutable Elements
Field Description
ResolverConfigPaths Whitelist of expected DNS resolvers configured on ESXi
ExternalDomainWhitelist Known trusted external domains for hypervisor services