AN1700: Analytic 1700
Network traffic analysis may reveal processes communicating with malicious domains.
Analyst context for executives and security teams
This analytic is about using network traffic analysis on iOS environments to identify processes communicating with malicious domains. Its business value is not that it proves compromise by itself, but that it helps validate whether mobile security monitoring can connect suspicious network destinations back to device or process activity when an incident responder needs fast evidence.
Executive priority
For leaders, this is a mobile visibility and response-readiness issue. If iOS devices are in scope for business operations, privileged access, or regulated workflows, teams should know whether they can observe suspicious domain communications and use that evidence during triage, incident scoping, and compliance discussions. Priority should be based on the organization’s reliance on iOS devices and whether mobile network telemetry is already collected, retained, and reviewable.
Technical view
The supplied ATT&CK object is a detection analytic for iOS. It states that network traffic analysis may reveal processes communicating with malicious domains, but it does not provide a specific detection rule, tactic mapping, or relationship context. SOC and IR teams should validate whether available telemetry can show iOS network connections, destination domains, timing, and any process or app context. Detection engineering should focus on correlating mobile network activity with malicious-domain intelligence while accounting for normal application behavior and shared infrastructure.
Likely telemetry
- iOS network traffic metadata
- DNS query or domain resolution logs where available
- Proxy, secure web gateway, firewall, or mobile network gateway logs
- Mobile device management or mobile security telemetry that can provide app or process context
- Threat intelligence indicators for malicious domains
Detection direction
- Confirm whether iOS traffic is visible at the network, gateway, or mobile security layer; lack of process/app attribution may limit investigation value.
- Validate correlation between destination domains and trusted malicious-domain intelligence sources rather than relying on domain matching without context.
- Tune for common false positives such as content delivery networks, embedded third-party services, redirects, or domains contacted by legitimate apps.
- Ensure detections preserve enough context for IR: device, user if available, destination domain, time, and observed app/process context where supported.
- Because no official detection logic or ATT&CK relationship context is supplied, treat this as a coverage-validation prompt rather than a ready-to-deploy analytic.
Mitigation priorities
- Establish reliable collection and retention for iOS network telemetry before depending on this analytic for incident response.
- Integrate vetted malicious-domain intelligence into network monitoring workflows with review and expiration processes.
- Use mobile device management or mobile security controls, where available, to strengthen device identification, app inventory, and response actions.
- Define escalation criteria for suspicious iOS domain communications, including when to isolate a device, collect additional evidence, or involve incident response.
- Document mobile monitoring coverage and gaps for risk owners, especially where iOS devices support sensitive business functions.
Analyst notes and limits
This object is sparse: it identifies an iOS-focused detection analytic and describes network traffic analysis for malicious-domain communication, but it does not include official detection logic, tactics, aliases, or relationship context. The main defender takeaway is to validate mobile network visibility and correlation quality, not to assume complete detection coverage.
Assessment is limited to the supplied ATT&CK fields and external reference for AN1700. No active exploitation, adversary attribution, impacted sectors, specific malware, or guaranteed detection capability is supported by the provided data. Local telemetry, device management architecture, and threat intelligence quality determine practical usefulness.
Analytic 1700
Network traffic analysis may reveal processes communicating with malicious domains.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b730cc0ebd43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1700Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.