Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1765: Analytic 1765

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[1] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[2] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

MobileAN1765AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1765 is a mobile ATT&CK detection analytic for identifying Android network activity that looks like algorithmically generated or suspiciously aged domain names. Its business value is in reducing the chance that command-and-control style mobile traffic blends into normal DNS activity, especially where mobile devices can affect identity access, executive communications, or operational continuity. The analytic also highlights an important false-positive area: CDN domains may look random and should not be treated as malicious without context.

Executive priority

Security leaders should treat this as a DNS and mobile telemetry coverage question, not just an analytics question. Ask whether Android device DNS activity is visible, retained, and correlated with domain age, rarity, dormancy, and activity spikes. This matters for SOC readiness, incident triage, and audit evidence because the organization must be able to show whether suspicious mobile network destinations can be investigated quickly and distinguished from legitimate CDN usage.

Technical view

For SOC and detection engineering teams, validate whether mobile DNS or proxy logs support features described by the analytic: entropy, pseudo-random naming patterns, dictionary-word proportion, vowel-to-character ratios, recent registration, rare visitation, and spikes after dormancy. Because ATT&CK provides no separate detection procedure and no tactic mapping for this object, implementation should be tested against local Android network telemetry and tuned against known legitimate CDN and application traffic.

Likely telemetry

  • Android device DNS queries or resolver logs
  • Mobile network proxy, secure web gateway, or firewall domain logs
  • Domain registration age and WHOIS/RDAP-derived enrichment where available
  • Passive DNS or domain prevalence/rarity data
  • Historical domain activity baselines to identify dormancy and sudden spikes

Detection direction

  • Validate collection of Android domain lookup activity before relying on the analytic.
  • Tune lexical domain scoring carefully; high entropy or unusual strings alone can produce false positives.
  • Add domain age, rarity, and dormant-to-active trend checks to improve triage value.
  • Maintain allowlists or baselines for legitimate CDN domains that may resemble pseudo-random domains.
  • Correlate suspicious domains with device, app, user, and time-of-day context to support incident response decisions.

Mitigation priorities

  • Prioritize visibility into Android DNS and web destination telemetry.
  • Enrich domain events with registration age, prevalence, and historical activity where possible.
  • Define SOC triage playbooks for suspicious mobile domain activity, including CDN false-positive handling.
  • Use mobile device management, network policy, or secure DNS controls where available to restrict or investigate suspicious destinations.
  • Review retention and compliance evidence requirements so investigations can reconstruct mobile domain activity after the fact.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and includes no relationship context. Its practical use is strongest as a validation checklist for mobile DNS analytics and enrichment quality. The ATT&CK description explicitly notes CDN false positives, so detection logic should avoid treating lexical randomness as sufficient by itself.

Official detection content is not provided, tactics are not specified, and no related ATT&CK objects or relationships were supplied. This take is limited to the Android platform and the domain-analysis concepts named in the official description and references. Local telemetry, baselines, and enrichment sources are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 1765

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[1] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[2] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
55df667b4f44bf75...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 55df667b4f44…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Data Driven Security DGA

    Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.

    Open source URL
  2. [2]
    unit42_strat_aged_domain_det

    Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.

    Open source URL
  3. [3]
    mitre-attack AN1765
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use