Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0113: Network Communication

Network Communication captures outbound or inbound communication initiated by an application or mobile device, including the domains contacted, protocols used, and session metadata associated with the communication.

Monitoring network communication enables defenders to identify command-and-control traffic, data exfiltration, or suspicious communication patterns originating from mobile applications.

Examples

- Connections to previously unseen domains - Repeated communication with suspicious infrastructure - Communication immediately following application installation

Collection Methods

- Mobile VPN telemetry - Secure web gateway logs - Network detection and response (NDR) - Mobile EDR network monitoring

MobileDC0113Data ComponentObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Network Communication is a mobile ATT&CK data component focused on the inbound and outbound traffic generated by a mobile device or application. For leaders, its value is not just seeing network activity, but being able to validate whether mobile apps are contacting unexpected domains, suspicious infrastructure, or communicating soon after installation in ways that may indicate command-and-control or data exfiltration behavior.

Executive priority

This data component matters for mobile security visibility, incident response triage, and audit evidence around whether the organization can observe risky mobile application communications. Security leaders should ask whether mobile traffic is visible through mobile VPN telemetry, secure web gateway logs, NDR, or mobile EDR network monitoring, and whether that visibility is consistent across managed mobile use cases. Gaps here can limit the organization’s ability to investigate suspected mobile compromise or unauthorized data movement.

Technical view

SOC and detection teams should validate collection of mobile network session metadata, contacted domains, protocols, and timing of communications. Because no official ATT&CK detection logic is provided for this data component, teams should build use cases around the supplied examples: connections to previously unseen domains, repeated communication with suspicious infrastructure, and communication immediately following application installation. IR teams should ensure this telemetry can be correlated with mobile app inventory, installation time, user/device identity, and any available mobile EDR or gateway context.

Likely telemetry

  • Mobile VPN telemetry
  • Secure web gateway logs
  • Network detection and response (NDR) records
  • Mobile EDR network monitoring
  • Contacted domains and protocols

Detection direction

  • Confirm whether mobile-originated inbound and outbound communications are actually collected, retained, and searchable.
  • Tune detections for unusual mobile app communication patterns, including previously unseen domains and repeated contact with suspicious infrastructure.
  • Correlate communication events with application installation timing to identify activity that begins immediately after install.
  • Account for false positives from legitimate app updates, content delivery networks, cloud services, and normal first-run application behavior.
  • Document blind spots where unmanaged devices, split tunneling, encrypted traffic, or lack of mobile EDR/gateway coverage reduces visibility.

Mitigation priorities

  • Prioritize consistent mobile network telemetry collection before relying on analytics or alerting.
  • Route managed mobile traffic through approved monitoring points where feasible, such as mobile VPN, secure web gateway, NDR, or mobile EDR capabilities.
  • Maintain baselines of expected mobile application domains and protocols to support anomaly review.
  • Ensure incident response procedures include retrieval and correlation of mobile network communication records.
  • Use telemetry availability as compliance and readiness evidence for mobile monitoring and data-loss investigation capabilities.
Analyst notes and limits

This is a data component, not a technique, and the supplied object does not include tactics, platforms, relationships, or official detection analytics. The most defensible use is as a visibility requirement for mobile-focused monitoring and investigation rather than as a standalone indicator of malicious activity.

No relationship context, platform list, or official detection content was supplied. Local architecture determines what can actually be collected, especially for unmanaged devices, encrypted sessions, mobile VPN coverage, and gateway routing. The object supports discussion of suspicious communication patterns but does not by itself establish exploitation, attribution, or confirmed compromise.

Official MITRE ATT&CK definition

Network Communication

Network Communication captures outbound or inbound communication initiated by an application or mobile device, including the domains contacted, protocols used, and session metadata associated with the communication.

Monitoring network communication enables defenders to identify command-and-control traffic, data exfiltration, or suspicious communication patterns originating from mobile applications.

Examples

- Connections to previously unseen domains - Repeated communication with suspicious infrastructure - Communication immediately following application installation

Collection Methods

- Mobile VPN telemetry - Secure web gateway logs - Network detection and response (NDR) - Mobile EDR network monitoring

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
bf04a6b0b5e85394...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle bf04a6b0b5e8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0113
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use