T1568: T1568

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/03/2020 18:28 · Modified 02/04/2026 19:32

Essential information

MITRE technique ID: T1568
Confidence: 100/100
Revoked: No
Published: 10/03/2020 18:28
Modified: 02/04/2026 19:32
Author / Source: The MITRE Corporation

Aliases

Dynamic Resolution

Platforms

windows macos linux ESXi

Description

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

ESET Sednit 2017 Activity
Data Driven Security DGA
mitre-attack (T1568)
FireEye POSHSPY April 2017
Talos CCleanup 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

Grandoreiro uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chinese APT (possibly APT41 subgroup) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TAG-112 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hellhounds uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Static Tundra uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Clop uses

Ransomware.Live Confidence 100

The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Kapre uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bitter uses T-APT-17

The MITRE Corporation Confidence 100

[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Roaming Mantis uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0147 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 53

RTM uses

Family The MITRE Corporation Confidence 100

[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Loader1.dll uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LemonDuck uses

Family
DinDoor uses

Family
PaykLoader uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SolarMarker RAT uses

Family
NetSupportRAT uses

Family
MintsLoader uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Popping Eagle uses
LeakyStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XMRig uses

Family
Latrodectus uses

The MITRE Corporation Confidence 100

[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

13–24 of 71

CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE related

17 MITREs 2 Malwares 200 Observables 1 APT
Significant Risk and Proactive Defense related

3 MITREs 47 Observables 1 APT
Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile … related

17 MITREs 9 Observables 1 APT
Checking all the Boxes: LapDogs, The New ORB … related

2 CVEs 15 MITREs 1 Malware 26 Observables 1 APT
Tracking LummaC2 Infrastructure with Cats related

4 MITREs 1 Malware 1 APT
The Good, the Bad and the Ugly in … related

1 CVE 14 MITREs 1 Malware 1 Observable 1 APT
Unmasking the FreeDrain Network related

14 MITREs 1 APT
The Next Level: Typo DGAs Used in Malicious … related

7 MITREs 17 Observables
Astrill VPN: New IPs Publicly Released on VPN … related

7 MITREs 9 Observables 1 APT
2024 Malicious Infrastructure Insights: Key Trends and Threats related

20 MITREs 18 Malwares
Long Live The Vo1d Botnet: New Variant Hits … related

20 MITREs 3 Malwares 48 Observables 1 APT
PolarEdge: Unveiling an uncovered ORB network related

1 CVE 16 MITREs 2 Malwares 31 Observables

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (36)

CVE-2023-1389 KEV targets

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2020-14993 targets

9.8 Critical

A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1.5.1.1 allows remote attackers to execute arbitrary code via the …

Attack vector: NETWORK
Published: 23/06/2020
Modified: 21/12/2025

CVE-2024-21410 KEV targets

9.8 Critical

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Attack vector: Network
Published: 15/02/2024
Modified: 21/12/2025

CVE-2024-45891 targets

8.0 High

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `delete_wlan_profile.`

Attack vector: ADJACENT_NETWORK
Published: 04/11/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2024-45890 targets

8.0 High

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `download_ovpn.`

Attack vector: ADJACENT_NETWORK
Published: 04/11/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-23397 KEV targets

9.8 Critical

Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the …

Attack vector: Network
Published: 14/03/2023
Modified: 21/12/2025

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2023-26360 KEV targets

8.6 High

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 15/03/2023
Modified: 21/12/2025

CVE-2025-20281 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Awaiting Analysis

← Previous

Page / 3

25–36 of 36

T1568.002 subtechnique-of

Domain Generation Algorithms MITRE

Campaign (5)

C0026 uses
Night Dragon uses
Operation Spalax uses
Operation Dust Storm uses
SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use

T1568: T1568

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (53)

Malware (71)

Reports (50)

Vulnerabilities (CVE) (36)

Attack patterns (MITRE) (1)

Campaign (5)