T1568: T1568
Essential information
- MITRE technique ID
T1568- Confidence
- 100/100
- Revoked
- No
- Published
- 10/03/2020 18:28
- Modified
- 02/04/2026 19:32
- Author / Source
- The MITRE Corporation
Aliases
Dynamic Resolution
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | command-and-control |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (53)
-
nitrogen usesAlienVault Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
DarkGate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Vo1d usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GoldenJackal usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ClawHavoc usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Key Group usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Eugenfest usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Socks5Systemz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlueAlpha usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-26 (Lazarus) relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (71)
-
Mozi Botnet usesFamily
-
Rimasuta uses
-
Kimsuky usesFamily
-
SectopRAT usesFamily
-
Dridex - S0384 usesFamily
-
Grandoreiro uses
-
Nitrogen usesFamily
-
cShell usesFamily
-
Lumma Stealer usesThe MITRE Corporation Confidence 100
[Lumma Stealer](https://attack.mitre.org/software/S1213) is an information stealer malware family in use since at least 2022. [Lumma Stealer](https://attack.mitre.org/software/S1213) is a Malware as a Service (MaaS) where captured data has been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Hook usesFamily
-
UX-Cryptor usesFamily
-
Going Eagle usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
17 MITREs 2 Malwares 200 Observables 1 APT
-
3 MITREs 47 Observables 1 APT
-
17 MITREs 9 Observables 1 APT
-
2 CVEs 15 MITREs 1 Malware 26 Observables 1 APT
-
4 MITREs 1 Malware 1 APT
-
1 CVE 14 MITREs 1 Malware 1 Observable 1 APT
-
Unmasking the FreeDrain Network related14 MITREs 1 APT
-
7 MITREs 17 Observables
-
7 MITREs 9 Observables 1 APT
-
20 MITREs 18 Malwares
-
20 MITREs 3 Malwares 48 Observables 1 APT
-
1 CVE 16 MITREs 2 Malwares 31 Observables
Vulnerabilities (CVE) (36)
Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …
- Attack vector
- NETWORK
- Published
- 03/11/2021
- Modified
- 14/01/2026
DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `doOpenVPN.`
- Attack vector
- ADJACENT_NETWORK
- Published
- 04/11/2024
- Modified
- 21/12/2025
DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `setSWMGroup.`
- Attack vector
- ADJACENT_NETWORK
- Published
- 04/11/2024
- Modified
- 21/12/2025
- Published
- 20/12/2025
- Modified
- 21/12/2025
mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol …
- Published
- 10/02/2015
- Modified
- 07/05/2026
An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the …
- Attack vector
- ADJACENT_NETWORK
- Published
- 28/10/2024
- Modified
- 21/12/2025
Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute code.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 23/01/2015
- Modified
- 27/04/2026
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
- Attack vector
- Network
- Published
- 04/10/2023
- Modified
- 29/05/2026
Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
- Attack vector
- NETWORK
- Published
- 20/12/2025
- Modified
- 22/01/2026
Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code …
- Attack vector
- NETWORK
- Published
- 03/03/2023
- Modified
- 21/12/2025
Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an …
- Attack vector
- Network
- Published
- 06/02/2025
- Modified
- 21/12/2025
Campaign (5)
-
C0026 uses
-
Night Dragon uses
-
Operation Spalax uses
-
Operation Dust Storm uses
-
SolarWinds Compromise uses