DET0613: Detection of Dynamic Resolution
DET0613 is a MITRE ATT&CK mobile detection strategy for identifying Dynamic Resolution behavior, where mobile malware may change command-and-control connec...
Analyst context for executives and security teams
DET0613 is a MITRE ATT&CK mobile detection strategy for identifying Dynamic Resolution behavior, where mobile malware may change command-and-control connection details such as domains, IP addresses, or ports to avoid simple blocking and static indicators. For security leaders, the practical issue is whether mobile monitoring, network visibility, and incident response processes can still recognize suspicious infrastructure-seeking behavior when the destination changes over time.
Executive priority
Prioritize this as a resilience and visibility question rather than a single signature problem. If the organization depends on Android or iOS devices for workforce access, executive teams should ask whether mobile security, DNS/network logging, and IR playbooks can support investigations when command-and-control indicators are dynamic and short-lived. This matters for incident decision-making, audit evidence around monitoring coverage, and control prioritization where mobile devices have access to business systems.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it detects mobile technique T1637 Dynamic Resolution, which applies to Android and iOS. SOC and detection engineering teams should validate whether they can observe mobile devices attempting changing domains, IPs, or ports associated with command-and-control behavior. Emphasis should be on evidence correlation across mobile security telemetry, DNS resolution, proxy or network flow data, and device/app context rather than relying only on static blocklists.
Likely telemetry
- Mobile device security or MTD/EMM telemetry where available
- DNS query and response logs for mobile device traffic
- Proxy, secure web gateway, or network egress logs
- Network flow metadata showing destination IPs, ports, timing, and connection patterns
- Mobile application inventory and device identity context
Detection direction
- Validate that mobile-originated DNS and network egress activity is attributable to a specific device, user, and application where possible.
- Look for patterns of changing domains, IP addresses, or ports that may indicate dynamic command-and-control resolution, while tuning for legitimate mobile apps and content delivery behavior.
- Avoid dependence on fixed indicators alone; dynamic resolution can reduce the value of one-time domain, IP, or port blocking.
- Correlate relationship context from T1637 with Android and iOS monitoring coverage, since the detection strategy object itself does not specify platforms or tactics.
- Confirm retention is sufficient for retrospective analysis, because dynamically generated or rotated infrastructure may disappear before an investigation begins.
Mitigation priorities
- Inventory where Android and iOS devices can access business resources and ensure those access paths have appropriate monitoring.
- Strengthen mobile device management and mobile threat monitoring capabilities where business risk justifies it.
- Centralize DNS, proxy, and network egress logs so SOC and IR teams can reconstruct mobile network activity.
- Use layered controls: policy enforcement, suspicious egress review, and rapid containment procedures for affected mobile devices.
- Document monitoring scope and gaps for compliance and risk discussions, especially where personal or unmanaged mobile devices are in use.
Analyst notes and limits
This take is based on the DET0613 detection strategy and its relationship to T1637 Dynamic Resolution. Because MITRE did not provide official detection content for this object, the practical guidance is framed around validating telemetry and control coverage for the related mobile behavior rather than asserting a specific analytic.
The object has no official description, detection text, tactics, labels, or platforms. Android and iOS are supported only through the related T1637 technique. Local architecture, device ownership model, logging sources, and mobile security tooling are required to determine actual detection coverage.
Detection of Dynamic Resolution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1637 | Dynamic Resolution | This object detects Dynamic Resolution. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2b0417b24426… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0613Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.