Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0669: Detection of Domain Generation Algorithms

DET0669 is a mobile ATT&CK detection strategy for identifying Domain Generation Algorithms, a related Android and iOS technique where malware may generate...

MobileDET0669Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0669 is a mobile ATT&CK detection strategy for identifying Domain Generation Algorithms, a related Android and iOS technique where malware may generate many possible domains for command-and-control or malicious application distribution. The business issue is resilience: static blocklists and one-time domain takedowns may not be enough if a mobile threat can rotate through large numbers of generated domains.

Executive priority

Security leaders should treat DGA detection as a validation point for mobile threat monitoring, DNS visibility, incident response readiness, and control effectiveness. The key decision is whether the organization can see and investigate suspicious mobile domain-resolution behavior quickly enough to support containment, legal/compliance evidence, and continuity decisions when command-and-control infrastructure is designed to be hard to block or track.

Technical view

The ATT&CK object provides no official detection logic, platforms, or tactics for DET0669 itself. Its relationship detects T1637.001, Domain Generation Algorithms, in the mobile domain, with related platforms Android and iOS. SOC and detection engineering teams should therefore validate whether mobile-related network and DNS telemetry can reveal abnormal domain-generation patterns, repeated failed lookups, high-volume or algorithmic-looking domain queries, and domain rotation associated with suspected mobile applications or devices. IR teams should ensure this evidence can be tied back to affected devices, applications, users, and network segments.

Likely telemetry

  • DNS query and response logs for mobile devices or mobile network segments
  • Recursive resolver, secure web gateway, proxy, or network security logs showing domain requests
  • Mobile device management or endpoint inventory linking devices, users, OS, and installed applications
  • Network flow metadata showing repeated outbound connection attempts to many domains
  • Security alerts or case records correlating suspicious domains with mobile applications or devices

Detection direction

  • Confirm that mobile DNS activity is logged with enough context to identify the device, user, application where available, resolver, timestamp, queried domain, and response code.
  • Tune analytics for DGA-like behavior rather than relying only on known-bad domain blocklists, because the related technique notes that thousands of domains may be generated.
  • Review false positives from legitimate mobile apps, ad/analytics SDKs, content delivery patterns, and privacy features that may create high-volume or unusual domain activity.
  • Correlate suspicious domain-generation patterns with mobile inventory and application context before escalating to containment.
  • Document coverage gaps where mobile traffic bypasses monitored DNS infrastructure or where encrypted/private DNS reduces visibility.

Mitigation priorities

  • Prioritize reliable DNS and network telemetry collection for mobile environments before depending on DGA detections.
  • Maintain mobile asset, user, and application inventory so suspicious domain behavior can be scoped during response.
  • Use layered domain controls and investigation workflows rather than static blocklists alone, since generated domains can be numerous and changeable.
  • Prepare incident response playbooks for isolating affected mobile devices, preserving DNS/network evidence, and reviewing associated applications.
  • Use detection validation results as evidence for security control assurance and compliance readiness where mobile monitoring is in scope.
Analyst notes and limits

This take is based on the DET0669 detection-strategy object and its relationship to T1637.001, Domain Generation Algorithms. The practical emphasis is on validating mobile DNS/network visibility and response workflows because the related technique describes generated domains being used for command-and-control communication or malicious application distribution.

The supplied DET0669 object has no official description, detection text, tactics, platforms, or aliases. Platform context comes only from the related T1637.001 technique, which lists Android and iOS. Local telemetry, architecture, mobile management model, and resolver design are required to determine actual detection coverage.

Official MITRE ATT&CK definition

Detection of Domain Generation Algorithms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1637.001 Domain Generation Algorithms Sub-technique This object detects Domain Generation Algorithms.
Relationship explorer

All related ATT&CK context

detects · Technique T1637.001: Domain Generation Algorithms Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
603f60334eafc9cb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 603f60334eaf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0669
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use