MITRE ATT&CK Technique
Description
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-10T17:28:11.747Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may dynamically establish connections to command '
'and control infrastructure to evade common detections and '
'remediations. This may be achieved by using malware that '
'shares a common algorithm with the infrastructure the '
"adversary uses to receive the malware's communications. These "
'calculations can be used to dynamically adjust parameters '
'such as the domain name, IP address, or port number the '
'malware uses for command and control.\n'
'\n'
'Adversaries may use dynamic resolution for the purpose of '
'[Fallback '
'Channels](https://attack.mitre.org/techniques/T1008). When '
'contact is lost with the primary command and control server '
'malware may employ dynamic resolution as a means to '
'reestablishing command and control.(Citation: Talos CCleanup '
'2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET '
'Sednit 2017 Activity)',
'external_references': [{'external_id': 'T1568',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1568'},
{'description': 'Brumaghin, E. et al. (2017, '
'September 18). CCleanup: A Vast '
'Number of Machines at Risk. '
'Retrieved March 9, 2018.',
'source_name': 'Talos CCleanup 2017',
'url': 'http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html'},
{'description': 'Dunwoody, M.. (2017, April 3). '
'Dissecting One of APT29’s Fileless '
'WMI and PowerShell Backdoors '
'(POSHSPY). Retrieved April 5, 2017.',
'source_name': 'FireEye POSHSPY April 2017',
'url': 'https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html'},
{'description': 'ESET. (2017, December 21). Sednit '
'update: How Fancy Bear Spent the '
'Year. Retrieved February 18, 2019.',
'source_name': 'ESET Sednit 2017 Activity',
'url': 'https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/'},
{'description': 'Jacobs, J. (2014, October 2). '
'Building a DGA Classifier: Part 2, '
'Feature Engineering. Retrieved '
'February 18, 2019.',
'source_name': 'Data Driven Security DGA',
'url': 'https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/'}],
'id': 'attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'command-and-control'}],
'modified': '2025-10-24T17:49:00.128Z',
'name': 'Dynamic Resolution',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Chris Roffe'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'ESXi'],
'x_mitre_version': '1.1'}