DET0617: Detection of Dead Drop Resolver
DET0617 is a MITRE ATT&CK mobile detection strategy for identifying Dead Drop Resolver behavior, where a compromised Android or iOS device may contact a le...
Analyst context for executives and security teams
DET0617 is a MITRE ATT&CK mobile detection strategy for identifying Dead Drop Resolver behavior, where a compromised Android or iOS device may contact a legitimate external web service that contains hidden or encoded pointers to command-and-control infrastructure. The business issue is that this can make malicious mobile C2 look like normal access to popular web or social platforms, so leadership should not assume allow-listed or reputable services are automatically low risk.
Executive priority
Prioritize this as a mobile security and incident-response readiness question: can the organization prove it can see and investigate mobile devices reaching legitimate external services that may be used to redirect to C2? This matters for operational resilience, executive-device risk, compliance evidence around monitoring, and SOC decision-making because the ATT&CK object provides no built-in detection logic; coverage depends on local telemetry, mobile management visibility, and investigation workflows.
Technical view
The supplied detection strategy has no official description, platform list, tactic list, or detection analytic text. The only supported technical context is its relationship to T1481.001, Dead Drop Resolver, in the mobile domain for Android and iOS. SOC and detection teams should therefore validate whether mobile network activity, application activity, and web destination data can reveal devices contacting legitimate external web services followed by redirection or subsequent connections to suspicious domains or IP addresses. IR teams should ensure investigations can correlate a mobile device, app, web request, resolver content when available, and downstream C2 destination indicators without relying only on domain reputation.
Likely telemetry
- Mobile device network connection and DNS/web request logs where available
- Mobile security or MDM/EMM telemetry for Android and iOS devices
- Proxy, secure web gateway, firewall, or network egress records tied to mobile users/devices
- HTTP/S destination metadata and redirect chains where legally and technically available
- Application inventory and app activity context for affected mobile devices
Detection direction
- Validate visibility for Android and iOS mobile traffic rather than assuming endpoint-style telemetry exists.
- Look for mobile devices accessing legitimate external web services followed by connections to newly observed, unusual, encoded, obfuscated, or otherwise suspicious domains or IP addresses.
- Tune detections carefully because the resolver service itself may be popular and benign; context such as app, device, user, timing, redirect behavior, and downstream destination is likely needed to reduce false positives.
- Confirm whether encrypted traffic, privacy controls, BYOD restrictions, or unmanaged mobile devices create blind spots.
- Use the relationship to T1481.001 as the scope anchor; do not infer additional tactics or platforms from DET0617 because the detection strategy object does not specify them.
Mitigation priorities
- Establish mobile-device visibility for managed Android and iOS assets before relying on detection claims.
- Ensure mobile web/DNS/network telemetry can be correlated with user, device, and app context for investigations.
- Review mobile egress controls and acceptable-use policies for high-risk populations such as executives, administrators, and privileged users.
- Prepare incident-response playbooks for suspicious mobile C2 redirection behavior, including containment, device triage, and evidence preservation.
- Use detection validation exercises to produce audit-ready evidence of what mobile telemetry is collected, retained, and reviewed.
Analyst notes and limits
This take is based on DET0617 and its stated relationship to T1481.001 Dead Drop Resolver. The practical value is in validating mobile telemetry and investigation readiness because the official detection strategy content itself is sparse.
The ATT&CK detection strategy object does not provide an official description, detection logic, tactics, or platforms. Android and iOS are included only through the related Dead Drop Resolver technique. Local architecture, device ownership model, logging coverage, and legal/privacy constraints are required to determine real detection coverage.
Detection of Dead Drop Resolver
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1481.001 | Dead Drop Resolver Sub-technique | This object detects Dead Drop Resolver. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d5c435d9125b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0617Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.