Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1766: Analytic 1766

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[1] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[2] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

MobileAN1766AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1766 is a mobile ATT&CK detection analytic for identifying suspicious iOS domain activity that looks algorithmically generated or unusually aged/dormant. For leaders, the value is not just “DGA detection”; it is validating whether mobile DNS visibility can reveal command-and-control style infrastructure patterns before they become an incident response blind spot. The analytic is also explicit about false positives: CDN domains can resemble suspicious generated domains, so tuning and context matter.

Executive priority

Prioritize this where iOS devices are material to executive communications, regulated workflows, or mobile access to corporate systems. The key decision is whether the organization has enough mobile DNS/domain telemetry and domain reputation context to investigate suspicious infrastructure patterns without overwhelming the SOC with CDN-related noise. This supports resilience, incident triage, and compliance evidence by showing that mobile network behavior is monitored for anomalous domain use, not only endpoint alerts.

Technical view

For SOC and detection engineering teams, validate an iOS-focused analytic that scores domains using features such as entropy, pseudo-random naming characteristics, Markov-chain or frequency-analysis indicators, dictionary-word proportion, and vowel-to-character ratios. Enrich suspicious domains with registration age, visit rarity, and activity-history changes, including spikes after dormancy. Because ATT&CK provides no separate detection field and no tactic mapping for this object, implementation should be treated as a DNS/domain-analytics validation exercise rather than a complete ATT&CK technique detection on its own.

Likely telemetry

  • DNS query logs or mobile network DNS resolver logs associated with iOS devices
  • Domain name feature extraction data, including entropy and character-pattern metrics
  • Domain registration or age enrichment data
  • Historical domain activity baselines, including rarely visited or dormant-then-active domains
  • Allowlist or categorization context for CDN domains to reduce false positives

Detection direction

  • Confirm that iOS-related DNS traffic is actually visible; mobile devices using external resolvers, cellular networks, or privacy features may reduce enterprise visibility.
  • Tune scoring thresholds for pseudo-random domains using local DNS baselines rather than relying only on generic entropy or length rules.
  • Add enrichment for recently registered domains, rarely visited domains, and domains with sudden activity after dormancy, as described in the official analytic.
  • Explicitly test CDN-related false positives because the official description notes that CDN domain formats may trigger these detections.
  • Correlate domain suspicion with device and user context before escalation; the supplied ATT&CK object does not provide tactics, relationships, or impact context.

Mitigation priorities

  • Establish or validate enterprise DNS visibility for managed iOS devices where policy and architecture allow.
  • Maintain domain reputation, registration-age, and historical activity enrichment for SOC investigation workflows.
  • Create tuning processes for benign infrastructure patterns, especially CDN domains, to preserve analyst trust in alerts.
  • Use mobile device management, network security, and acceptable-use controls to route or log relevant mobile traffic where required by risk and compliance needs.
  • Document detection assumptions and coverage gaps for audit, incident response readiness, and mobile security program governance.
Analyst notes and limits

This object is a detection analytic, not a technique or adversary behavior description. The supplied ATT&CK fields support an iOS mobile detection focus around suspicious domain generation and domain activity history. No relationship context, tactic mapping, aliases, or separate official detection text were supplied, so local implementation details must come from the organization’s telemetry, enrichment sources, and SOC procedures.

The object does not specify ATT&CK tactics, related techniques, adversary groups, software, campaigns, or mitigations. It also does not prove active exploitation or confirm that any organization has detection coverage. The assessment depends heavily on local iOS DNS visibility and the quality of domain enrichment and false-positive handling.

Official MITRE ATT&CK definition

Analytic 1766

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[1] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.[2] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8edb424c3c4dd131...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8edb424c3c4d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Data Driven Security DGA

    Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.

    Open source URL
  2. [2]
    unit42_strat_aged_domain_det

    Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.

    Open source URL
  3. [3]
    mitre-attack AN1766
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use