T1568: T1568

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/03/2020 18:28 · Modified 02/04/2026 19:32

Essential information

MITRE technique ID: T1568
Confidence: 100/100
Revoked: No
Published: 10/03/2020 18:28
Modified: 02/04/2026 19:32
Author / Source: The MITRE Corporation

Aliases

Dynamic Resolution

Platforms

windows macos linux ESXi

Description

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

ESET Sednit 2017 Activity
Data Driven Security DGA
mitre-attack (T1568)
FireEye POSHSPY April 2017
Talos CCleanup 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

nitrogen uses

AlienVault Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
DarkGate uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vo1d uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mustard Tempest uses DEV-0206GOLD PRELUDE

The MITRE Corporation Confidence 100

[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GoldenJackal uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ClawHavoc uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Key Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MOIS (Ministry of Intelligence and Security) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Eugenfest uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Socks5Systemz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlueAlpha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-26 (Lazarus) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 53

Mozi Botnet uses

Family
Rimasuta uses
Kimsuky uses

Family
SectopRAT uses

Family
Dridex - S0384 uses

Family
Grandoreiro uses
Nitrogen uses

Family
cShell uses

Family
Lumma Stealer uses

The MITRE Corporation Confidence 100

[Lumma Stealer](https://attack.mitre.org/software/S1213) is an information stealer malware family in use since at least 2022. [Lumma Stealer](https://attack.mitre.org/software/S1213) is a Malware as a Service (MaaS) where captured data has been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hook uses

Family
UX-Cryptor uses

Family
Going Eagle uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 71

Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. … related

AlienVault Confidence 100 26 MITREs 1 Malware 29 IOCs 12 Observables 1 APT
How 23 Browser Extensions Silently Monetize ~758,000 Users' … related

AlienVault Confidence 100 19 MITREs 29 IOCs 29 Observables
Cybercriminal VPN Dismantled in Crackdown related

10 MITREs
Popular Go Decimal Library Targeted by Long-Running Typosquat … related

AlienVault Confidence 100 15 MITREs 3 IOCs 3 Observables
The Group Theory Inside Bedep's DGA related

1 CVE 16 MITREs 2 Malwares 1 Observable
Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking … related

AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables
Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through … related

AlienVault Confidence 100 4 MITREs 2 Malwares 77 IOCs 77 Observables
Iranian MOIS Actors & the Cyber Crime Connection related

16 MITREs 7 Malwares 14 Observables 1 APT
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters … related

19 MITREs 6 Malwares 5 Observables 1 APT
341 Malicious Clawed Skills Found by the Bot … related

12 MITREs 1 Malware 13 Observables 1 APT
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Parked Domains Become Weapons with Direct Search Advertising related

11 MITREs 2 Malwares 4 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (36)

CVE-2023-1389 KEV targets

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2020-14993 targets

9.8 Critical

A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1.5.1.1 allows remote attackers to execute arbitrary code via the …

Attack vector: NETWORK
Published: 23/06/2020
Modified: 21/12/2025

CVE-2024-21410 KEV targets

9.8 Critical

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Attack vector: Network
Published: 15/02/2024
Modified: 21/12/2025

CVE-2024-45891 targets

8.0 High

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `delete_wlan_profile.`

Attack vector: ADJACENT_NETWORK
Published: 04/11/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2024-45890 targets

8.0 High

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `download_ovpn.`

Attack vector: ADJACENT_NETWORK
Published: 04/11/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-23397 KEV targets

9.8 Critical

Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the …

Attack vector: Network
Published: 14/03/2023
Modified: 21/12/2025

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2023-26360 KEV targets

8.6 High

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 15/03/2023
Modified: 21/12/2025

CVE-2025-20281 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Awaiting Analysis

← Previous

Page / 3

25–36 of 36

T1568.002 subtechnique-of

Domain Generation Algorithms MITRE

Campaign (5)

C0026 uses
Night Dragon uses
Operation Spalax uses
Operation Dust Storm uses
SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use

T1568: T1568

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (53)

Malware (71)

Reports (50)

Vulnerabilities (CVE) (36)

Attack patterns (MITRE) (1)

Campaign (5)