T1568: T1568
Essential information
- MITRE technique ID
T1568- Confidence
- 100/100
- Revoked
- No
- Published
- 10/03/2020 18:28
- Modified
- 02/04/2026 19:32
- Author / Source
- The MITRE Corporation
Aliases
Dynamic Resolution
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | command-and-control |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (53)
-
nitrogen usesAlienVault Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
DarkGate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Vo1d usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GoldenJackal usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ClawHavoc usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Key Group usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Eugenfest usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Socks5Systemz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlueAlpha usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-26 (Lazarus) relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (71)
-
Mozi Botnet usesFamily
-
Rimasuta uses
-
Kimsuky usesFamily
-
SectopRAT usesFamily
-
Dridex - S0384 usesFamily
-
Grandoreiro uses
-
Nitrogen usesFamily
-
cShell usesFamily
-
Lumma Stealer usesFamily
-
Hook usesFamily
-
UX-Cryptor usesFamily
-
Going Eagle usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 26 MITREs 1 Malware 29 IOCs 12 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 29 IOCs 29 Observables
-
10 MITREs
-
AlienVault Confidence 100 15 MITREs 3 IOCs 3 Observables
-
1 CVE 16 MITREs 2 Malwares 1 Observable
-
AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables
-
AlienVault Confidence 100 4 MITREs 2 Malwares 77 IOCs 77 Observables
-
16 MITREs 7 Malwares 14 Observables 1 APT
-
19 MITREs 6 Malwares 5 Observables 1 APT
-
12 MITREs 1 Malware 13 Observables 1 APT
-
1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
-
11 MITREs 2 Malwares 4 Observables
Vulnerabilities (CVE) (36)
Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …
- Attack vector
- NETWORK
- Published
- 03/11/2021
- Modified
- 14/01/2026
DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `doOpenVPN.`
- Attack vector
- ADJACENT_NETWORK
- Published
- 04/11/2024
- Modified
- 21/12/2025
DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `setSWMGroup.`
- Attack vector
- ADJACENT_NETWORK
- Published
- 04/11/2024
- Modified
- 21/12/2025
- Published
- 20/12/2025
- Modified
- 21/12/2025
mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol …
- Published
- 10/02/2015
- Modified
- 07/05/2026
An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the …
- Attack vector
- ADJACENT_NETWORK
- Published
- 28/10/2024
- Modified
- 21/12/2025
Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute code.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 23/01/2015
- Modified
- 27/04/2026
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
- Attack vector
- Network
- Published
- 04/10/2023
- Modified
- 29/05/2026
Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
- Attack vector
- NETWORK
- Published
- 20/12/2025
- Modified
- 22/01/2026
Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code …
- Attack vector
- NETWORK
- Published
- 03/03/2023
- Modified
- 21/12/2025
Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an …
- Attack vector
- Network
- Published
- 06/02/2025
- Modified
- 21/12/2025
Campaign (5)
-
C0026 uses
-
Night Dragon uses
-
Operation Spalax uses
-
Operation Dust Storm uses
-
SolarWinds Compromise uses