Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1671: Analytic 1671

Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

MobileAN1671AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1671 is a mobile detection analytic for Android that highlights a practical problem: exfiltration over an existing command-and-control channel may be hard to see directly. For security leaders, the value is not a promise of a specific detection, but a warning that waiting to catch the final data movement may be too late. Coverage should be judged by whether the organization can detect earlier suspicious mobile behavior and preserve enough telemetry to support incident response decisions.

Executive priority

Prioritize this as a resilience and assurance issue for Android mobile environments. Leaders should ask whether mobile devices that access business data are monitored well enough to identify compromise before exfiltration, whether incident responders can reconstruct device and network activity, and whether control evidence exists for audits or risk reviews. Because the official analytic provides no detection logic and notes detection difficulty, budget and control decisions should emphasize earlier-stage visibility, mobile access governance, and response readiness rather than relying on a single exfiltration alert.

Technical view

SOC and detection teams should treat AN1671 as a coverage-gap prompt. The official object is tied to Android and references Exfiltration Over C2 Channel, but provides no concrete detection procedure and no relationship context. Validate whether Android mobile telemetry, network egress records, identity activity, and mobile security alerts can be correlated to suspicious behavior before or around possible C2-based exfiltration. IR teams should confirm they can scope affected devices, associated accounts, installed applications, network destinations, and access to enterprise data sources.

Likely telemetry

  • Android mobile device inventory and compliance state from MDM/UEM or equivalent management sources
  • Mobile application installation, permission, configuration, and security alert records where available
  • Network egress, DNS, proxy, VPN, or secure web gateway logs associated with Android devices
  • Identity and access logs for accounts used from Android devices, including session and device context where available
  • Mobile threat defense or endpoint security alerts if deployed

Detection direction

  • Do not measure coverage only by direct detection of exfiltration over C2; the official analytic states this behavior can be difficult to detect.
  • Validate earlier-stage mobile detections and correlations that could surface suspicious Android activity before data leaves the environment.
  • Tune mobile network analytics carefully because legitimate mobile applications may maintain persistent encrypted connections that resemble generic C2 patterns.
  • Check blind spots created by unmanaged Android devices, personal devices, limited mobile logging, encrypted traffic, privacy restrictions, and lack of device-to-user mapping.
  • Use this analytic as a test case for whether SOC workflows can combine mobile, identity, and network evidence quickly during triage.

Mitigation priorities

  • Establish clear governance for Android devices that access enterprise data, including enrollment, inventory, and compliance expectations where applicable.
  • Improve visibility before attempting high-confidence exfiltration detection: device posture, application inventory, identity context, and network egress logging are foundational.
  • Restrict or condition access to sensitive enterprise resources based on device trust and compliance where supported by existing architecture.
  • Prepare incident response procedures for Android device containment, account review, evidence preservation, and business-data access scoping.
  • Use detection engineering reviews to document where direct exfiltration-over-C2 detection is not feasible and what compensating controls provide evidence instead.
Analyst notes and limits

The official MITRE content for AN1671 is intentionally sparse: it identifies Android as the platform, references Exfiltration Over C2 Channel, and states that enterprises may be better served detecting other stages of adversarial behavior. There are no supplied tactics, relationships, aliases, labels, or detection logic. This Glexia take therefore frames the analytic as a defensive coverage and readiness prompt rather than a deployable rule.

This assessment is limited to the supplied official STIX fields, external reference, and absence of relationship context. It does not establish active exploitation, attribution, business impact, or detection coverage. Local architecture, mobile management maturity, logging availability, privacy constraints, and incident response capability are required to determine actual defensive value.

Official MITRE ATT&CK definition

Analytic 1671

Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
11e03745d6680f73...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 11e03745d668…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1671
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use