Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1637: Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

MobileT1637TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Dynamic Resolution is a mobile command-and-control resilience technique for Android and iOS in which malware can change where it connects, such as domains, IP addresses, or ports, rather than relying on one fixed destination. For leaders, the practical issue is that simple blocklists or one-time takedowns may not be enough; response plans and mobile monitoring need to account for infrastructure that can shift after containment actions begin.

Executive priority

Prioritize this where mobile devices, mobile applications, or mobile access to business systems are material to operations. The business question is whether the organization can detect and contain mobile malware communications when adversary infrastructure changes faster than static indicators can be blocked. This affects incident response decision-making, SOC readiness, and evidence for control effectiveness around mobile network monitoring and command-and-control prevention.

Technical view

ATT&CK provides no official detection text for T1637, but the description and relationship to T1637.001 Domain Generation Algorithms point defenders toward validating mobile network telemetry and behavior-based detection rather than relying only on known-bad domains or IPs. SOC and detection teams should test whether Android and iOS monitoring can identify suspicious repeated connection attempts, changing destination domains/IPs/ports, and DGA-like domain patterns. The related DET0613 detection strategy should be reviewed as the primary ATT&CK-linked detection context for this object.

Likely telemetry

  • Mobile device network connection metadata for Android and iOS
  • DNS query logs and resolver telemetry associated with mobile devices or mobile app traffic
  • Destination domain, IP address, and port history over time
  • Mobile security, MDM, or endpoint telemetry where available
  • Proxy, secure web gateway, firewall, or network security logs that include mobile-originated traffic

Detection direction

  • Validate coverage for dynamically changing command-and-control destinations, not just static indicators of compromise.
  • Tune analytics for unusual domain-generation characteristics, high volumes of failed or sequential DNS lookups, and shifting destination patterns from the same mobile device or application.
  • Correlate DNS, connection, and mobile device context to reduce false positives from legitimate apps that use content delivery networks, load balancing, or frequently changing cloud endpoints.
  • Use the T1637.001 relationship to include DGA-oriented detection logic where mobile telemetry supports it.
  • Account for blind spots where mobile traffic bypasses enterprise DNS, proxy, VPN, or MDM visibility.

Mitigation priorities

  • Reduce reliance on static blocklists as the only control for mobile command-and-control prevention.
  • Ensure mobile devices and mobile apps route through monitored DNS, network, or security controls where feasible.
  • Maintain response procedures for rapidly updating blocks based on observed domains, IPs, and ports during an incident.
  • Review mobile security architecture for visibility gaps across Android and iOS populations.
  • Use threat intelligence and incident findings to improve behavior-based detections for dynamic infrastructure patterns.
Analyst notes and limits

This object is a mobile ATT&CK technique with Android and iOS platforms. ATT&CK does not specify tactics for this object and does not provide official detection guidance. The most useful relationship context is the sub-technique T1637.001 Domain Generation Algorithms and the linked DET0613 detection strategy.

This assessment is based only on the supplied ATT&CK fields, references, and relationships. It does not establish active exploitation, actor attribution, organizational exposure, or guaranteed detection coverage. Local telemetry, mobile management architecture, and network routing determine practical detectability.

Official MITRE ATT&CK definition

Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1637.001 Domain Generation Algorithms Sub-technique Domain Generation Algorithms subtechnique of this object.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1637.001: Domain Generation Algorithms Mobile detects · Detection Strategy DET0613: Detection of Dynamic Resolution Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
d5da6ae93c604f5f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle d5da6ae93c60…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Data Driven Security DGA

    Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.

    Open source URL
  2. [2]
    mitre-attack T1637
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use