Dynamic Resolution: Domain Generation Algorithms

Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.[1]

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.

ID: T1637.001
Sub-technique of:  T1637
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.0
Created: 05 April 2022
Last Modified: 05 April 2022

Procedure Examples

ID Name Description
S0485 Mandrake

Mandrake has used domain generation algorithms.[2]

S0411 Rotexy

Rotexy procedurally generates subdomains for command and control communication.[1]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[3] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names