Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Command And Control
  4. >ATTACK-T1568
ATTACK-T1568Active

Dynamic Resolution

Statement

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

Location

Tactic
Command and Control

Technique Details

Identifier
ATTACK-T1568
ATT&CK Page
View on MITRE

Tactics

Command And Control

Platforms

LinuxmacOSWindowsESXi

Detection

Detection Strategy for Dynamic Resolution across OS Platforms

Mitigations

Network Intrusion Prevention: Use intrusion detection signatures to block traffic at network boundaries.

Restrict Web-Based Content: Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

  • Use solutions to filter web traffic based on categories, reputation, and content types.
  • Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

  • Implement tools to restrict access to domains associated with malware or phishing campaigns.
  • Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

  • Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

  • Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
  • Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

  • Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
  • Configure alerts for access attempts to blocked domains or repeated file download failures.
SP 800-53
SP800-53-AC-4relatedvia ctid-attack-to-sp800-53
SP800-53-CA-7relatedvia ctid-attack-to-sp800-53
SP800-53-SC-20relatedvia ctid-attack-to-sp800-53
SP800-53-SC-21relatedvia ctid-attack-to-sp800-53
SP800-53-SC-22relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Command and Control
Command and Control41 controls
ATTACK-T1001Data ObfuscationATTACK-T1001.001Junk DataATTACK-T1001.002SteganographyATTACK-T1001.003Protocol or Service ImpersonationATTACK-T1008Fallback ChannelsATTACK-T1071Application Layer ProtocolATTACK-T1071.001Web ProtocolsATTACK-T1071.002File Transfer ProtocolsATTACK-T1071.003Mail ProtocolsATTACK-T1071.004DNSATTACK-T1071.005Publish/Subscribe ProtocolsATTACK-T1090ProxyATTACK-T1090.001Internal ProxyATTACK-T1090.002External ProxyATTACK-T1090.003Multi-hop ProxyATTACK-T1090.004Domain FrontingATTACK-T1092Communication Through Removable MediaATTACK-T1095Non-Application Layer ProtocolATTACK-T1102Web ServiceATTACK-T1102.001Dead Drop ResolverATTACK-T1102.002Bidirectional CommunicationATTACK-T1102.003One-Way CommunicationATTACK-T1104Multi-Stage ChannelsATTACK-T1105Ingress Tool TransferATTACK-T1132Data EncodingATTACK-T1132.001Standard EncodingATTACK-T1132.002Non-Standard EncodingATTACK-T1219Remote Access ToolsATTACK-T1219.001IDE TunnelingATTACK-T1219.002Remote Desktop SoftwareATTACK-T1219.003Remote Access HardwareATTACK-T1568Dynamic ResolutionATTACK-T1568.001Fast Flux DNSATTACK-T1568.002Domain Generation AlgorithmsATTACK-T1568.003DNS CalculationATTACK-T1571Non-Standard PortATTACK-T1572Protocol TunnelingATTACK-T1573Encrypted ChannelATTACK-T1573.001Symmetric CryptographyATTACK-T1573.002Asymmetric CryptographyATTACK-T1665Hide Infrastructure