Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0419: Detection Strategy for Dynamic Resolution using Domain Generation Algorithms.

This detection strategy matters because Domain Generation Algorithms can let malware keep finding command-and-control infrastructure even when individual d...

EnterpriseDET0419Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because Domain Generation Algorithms can let malware keep finding command-and-control infrastructure even when individual domains or IPs are blocked. For leaders, the decision point is whether the organization can see and investigate unusual domain-resolution behavior quickly enough to disrupt resilient C2, rather than relying only on static blocklists.

Executive priority

Prioritize validation of DNS and network visibility as part of command-and-control resilience. The related ATT&CK technique, T1568.002, is associated with enterprise command-and-control activity across ESXi, Linux, macOS, and Windows, so coverage should be assessed as an environment-wide control question, not only an endpoint rule. This is useful for SOC readiness, incident response scoping, compliance evidence around monitoring, and control investment decisions for recursive DNS, proxy, and network logging.

Technical view

DET0419 is a detection strategy for T1568.002, Domain Generation Algorithms. Because the official detection text and platforms for this strategy are not provided, teams should treat it as a validation prompt: confirm whether DNS resolution patterns, destination-domain characteristics, and host-to-domain relationships can be observed and correlated during suspected command-and-control activity. SOC and IR teams should test whether they can identify endpoints repeatedly querying many generated-looking or low-reputation domains, failed or NXDOMAIN-heavy lookups, short-lived domain use, and resolution behavior that differs from normal application baselines. Any analytics should be tuned against legitimate software that uses high-volume or algorithmic-looking domain patterns.

Likely telemetry

  • Recursive DNS query and response logs
  • Endpoint process-to-network connection evidence where available
  • Proxy, firewall, and network flow records showing outbound destinations
  • Passive DNS or domain reputation/context data if available
  • Host inventory and asset context for ESXi, Linux, macOS, and Windows systems where relevant

Detection direction

  • Validate that DNS logs include client identity, queried domain, response code, resolved IPs, and timestamps sufficient for investigation.
  • Look for resolution behavior consistent with dynamic C2 discovery, such as large numbers of candidate domains, repeated failed resolutions, or rapid changes in resolved infrastructure.
  • Correlate domain-resolution anomalies with outbound network sessions and endpoint activity to reduce false positives.
  • Tune carefully for legitimate high-volume DNS sources, content delivery behavior, security tools, and software update mechanisms.
  • Assess blind spots from encrypted DNS, unmanaged resolvers, incomplete endpoint coverage, NAT, and systems without reliable asset attribution.

Mitigation priorities

  • Establish reliable DNS logging and retention before relying on DGA-oriented detections.
  • Route enterprise systems through monitored recursive resolvers where operationally feasible.
  • Maintain asset and owner context so suspicious resolution behavior can be tied to business systems quickly.
  • Use domain/IP blocking as a response aid, but do not depend on static indicators alone because the related technique is specifically dynamic resolution.
  • Integrate DNS, network, and endpoint evidence into IR workflows so suspected C2 discovery can be scoped and contained.
Analyst notes and limits

The ATT&CK object is a detection strategy, not a technique description, and it detects T1568.002 Domain Generation Algorithms. The related technique description explains that adversaries may use DGAs to dynamically identify C2 destination domains instead of relying on static IPs or domains, making blocking, tracking, or takeover harder. Glexia’s defensive value is in validating whether DNS-centric monitoring and response workflows can handle that dynamism.

The supplied DET0419 object has no official description, no official detection text, no tactics, and no platforms specified. Platform and tactic context comes only from the relationship to T1568.002. Local network architecture, DNS logging design, resolver policy, endpoint coverage, and business application baselines are required before judging detection coverage or risk exposure.

Official MITRE ATT&CK definition

Detection Strategy for Dynamic Resolution using Domain Generation Algorithms.

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1568.002 Domain Generation Algorithms Sub-technique This object detects Domain Generation Algorithms.
Relationship explorer

All related ATT&CK context

detects · Technique T1568.002: Domain Generation Algorithms Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1a2165684296287c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1a2165684296…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0419
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use