Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1568.002: Domain Generation Algorithms

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.[1][2][3]

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.[1][2][4][5]

Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.[4][6][7]

EnterpriseT1568.002Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Domain Generation Algorithms matter because they make command-and-control harder to disrupt with simple blocklists. Instead of calling one known bad domain, malware can calculate many possible domains over time and try whichever one the adversary has registered. For leaders, the practical issue is resilience: if DNS, proxy, and network monitoring are weak or fragmented, an infected Windows, Linux, macOS, or ESXi system may regain contact even after obvious infrastructure is blocked.

Executive priority

Treat DGA coverage as a test of whether security operations can see and contain adaptive command-and-control, not just known indicators. Ask whether DNS and web egress controls are centrally logged, whether unmanaged servers and virtualization platforms are included, and whether incident response playbooks account for fallback channels. This technique is relevant to budget and audit discussions because prevention depends on web restriction and network prevention controls, while response depends on evidence that can show which hosts resolved or attempted unusual generated domains.

Technical view

This is an enterprise command-and-control sub-technique of Dynamic Resolution affecting ESXi, Linux, macOS, and Windows. MITRE does not provide a detection paragraph for this object, but the relationship to DET0419 indicates a detection strategy exists for Dynamic Resolution using DGAs. SOC and detection teams should validate DNS and proxy analytics for high-volume failed lookups, algorithmically generated or gibberish-looking domains, time-correlated domain churn, and word-concatenation patterns, while recognizing that seed-based and time-based DGAs can reduce predictability. IR teams should preserve DNS resolver, endpoint, proxy, and network boundary evidence before blocking domains, because DGA activity can indicate fallback command-and-control rather than the only C2 channel.

Likely telemetry

  • Recursive DNS query and response logs, including NXDOMAIN and low-reputation or newly observed domains
  • Endpoint network connection telemetry from Windows, Linux, macOS, and ESXi where available
  • Web proxy and URL filtering logs for outbound domain access attempts
  • Network intrusion detection/prevention alerts at egress boundaries
  • Firewall or secure web gateway egress records tying domains to internal hosts

Detection direction

  • Validate DET0419-aligned analytics for DGA-style dynamic resolution rather than relying only on static domain or IP blocklists.
  • Tune for both random-looking domains and word-based concatenation patterns; not all DGAs look like obvious gibberish.
  • Correlate suspicious DNS activity with endpoint process and network telemetry to reduce false positives from legitimate software updaters, telemetry services, and content delivery behavior.
  • Pay attention to bursts of failed domain lookups and changing domains over hourly, daily, or monthly windows, consistent with time-based generation described by MITRE.
  • Check blind spots around servers, Linux systems, ESXi management networks, and resolver paths that bypass central logging.

Mitigation priorities

  • Prioritize Restrict Web-Based Content controls such as URL filtering, download restrictions, script blocking, and extension control where applicable to reduce access to unsafe destinations.
  • Use Network Intrusion Prevention at network boundaries to block known malicious traffic patterns and enforce egress policy.
  • Centralize DNS resolution and logging so hosts cannot quietly bypass monitored resolvers.
  • Use containment playbooks that block confirmed malicious domains while also hunting for related generated-domain attempts and fallback command-and-control behavior.
  • Review egress policy for non-browser workloads and infrastructure platforms, including Linux and ESXi, because DGA-based C2 is not limited to user workstations.
Analyst notes and limits

MITRE links this technique to many groups and software families, including APT41, TA551, CHOPSTICK, MiniDuke, POSHSPY, CCBkdr, BONDUPDATER, Astaroth, Ebury, Ursnif, Aria-body, ngrok, Grandoreiro, Bazar, ShadowPad, Doki, Conficker, SombRAT, and QakBot. Use those relationships for threat-informed prioritization, not as proof of local exposure or current activity. The revoked T1483 object is represented by this sub-technique, so older reporting may use the prior identifier.

The official ATT&CK object provides no native detection text, so detection guidance here is derived from the official description, the DET0419 relationship, listed mitigations, platforms, and external-reference context. Local validation is required to confirm whether DNS, proxy, endpoint, and network telemetry are collected consistently enough to detect this behavior.

Official MITRE ATT&CK definition

Domain Generation Algorithms

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.[1][2][3]

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.[1][2][4][5]

Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.[4][6][7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1568 Dynamic Resolution This object subtechnique of Dynamic Resolution.
Enterprise T1483 Domain Generation Algorithms Domain Generation Algorithms revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

Group Enterprise

G0127: TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [2]

Tool Enterprise

S1087: AsyncRAT

AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[1][2][3]

Windows
Malware Enterprise

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

Windows
Malware Enterprise

S0600: Doki

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [1]

LinuxContainers
Malware Enterprise

S0150: POSHSPY

POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [1]

Windows
Malware Enterprise

S0360: BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

Windows
Malware Enterprise

S0608: Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[1] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[2]

Windows
Malware Enterprise

S0023: CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.

WindowsLinux
Tool Enterprise

S0508: ngrok

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[1][2][3][4]

Windows
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0419: Detection Strategy for Dynamic Resolution using Domain Generation Algorithms. Enterprise uses · Malware S0456: Aria-body Enterprise mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise uses · Tool S1087: AsyncRAT Enterprise uses · Malware S0650: QakBot Enterprise uses · Malware S0600: Doki Enterprise subtechnique of · Technique T1568: Dynamic Resolution Enterprise uses · Malware S0051: MiniDuke Enterprise uses · Malware S0150: POSHSPY Enterprise uses · Malware S0673: DarkWatchman Enterprise uses · Malware S0360: BONDUPDATER Enterprise uses · Malware S9023: HiddenFace Enterprise uses · Group G0096: APT41 Enterprise mitigates · Mitigation M1021: Restrict Web-Based Content Enterprise uses · Group G0127: TA551 Enterprise uses · Malware S0608: Conficker Enterprise uses · Malware S0023: CHOPSTICK Enterprise uses · Tool S0508: ngrok Enterprise uses · Malware S0386: Ursnif Enterprise uses · Malware S1015: Milan Enterprise uses · Malware S0615: SombRAT Enterprise uses · Malware S0222: CCBkdr Enterprise uses · Malware S0531: Grandoreiro Enterprise revoked by · Technique T1483: Domain Generation Algorithms Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1021: Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

- Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

- Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
81f0f5b4f38ab4e6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 81f0f5b4f38a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cybereason Dissecting DGAs

    Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.

    Open source URL
  2. [2]
    Cisco Umbrella DGA

    Scarfo, A. (2016, October 10). Domain Generation Algorithms – Why so effective?. Retrieved February 18, 2019.

    Open source URL
  3. [3]
    Unit 42 DGA Feb 2019

    Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019.

    Open source URL
  4. [4]
    Talos CCleanup 2017

    Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.

    Open source URL
  5. [5]
    Akamai DGA Mitigation

    Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019.

    Open source URL
  6. [6]
    FireEye POSHSPY April 2017

    Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.

    Open source URL
  7. [7]
    ESET Sednit 2017 Activity

    ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.

    Open source URL
  8. [8]
    Data Driven Security DGA

    Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.

    Open source URL
  9. [9]
    Elastic Predicting DGA

    Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019.

    Open source URL
  10. [10]
    Pace University Detecting DGA May 2017

    Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019.

    Open source URL
  11. [11]
    mitre-attack T1568.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use