AN1672: Analytic 1672
Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
Analyst context for executives and security teams
This analytic is a cautionary signal for iOS mobile defense: exfiltration over a command-and-control channel may be hard to detect directly, so leaders should not assume that network monitoring alone will provide reliable proof of data theft. The practical value is in validating whether the organization can detect earlier or adjacent attacker behavior on managed iOS devices before data leaves the environment.
Executive priority
Treat this as a coverage and readiness question rather than a single detection rule. For business continuity, privacy, and compliance evidence, executives should ask whether mobile device visibility, incident response procedures, and data protection controls can support investigations when direct exfiltration detection is weak. Budget and control priorities should favor measurable telemetry, mobile fleet governance, and earlier-stage detection opportunities over promises of guaranteed C2 exfiltration detection.
Technical view
The supplied ATT&CK analytic applies to iOS and references Exfiltration Over C2 Channel (T1646). MITRE provides no specific detection logic and explicitly notes that this behavior can be difficult to detect, recommending focus on other stages of adversarial behavior. SOC and IR teams should therefore validate what iOS telemetry is available, what network or device-management evidence can be retained, and what earlier-stage mobile behaviors can be correlated during investigations. Because no tactics or relationships are supplied, detection engineering should avoid over-scoping this analytic beyond iOS mobile environments and T1646 context.
Likely telemetry
- iOS mobile device management or enterprise mobility management records
- Device inventory and enrollment status for managed iOS assets
- Network connection metadata from mobile egress paths where available
- Proxy, DNS, VPN, or secure web gateway logs for managed mobile traffic where deployed
- Mobile security or device compliance alerts if present in the environment
Detection direction
- Do not treat this as a standalone high-confidence detection; MITRE does not provide detection logic for AN1672.
- Validate whether mobile network telemetry is actually collected for iOS devices, especially when devices operate off corporate networks.
- Prioritize correlation with earlier or related adversarial behaviors rather than relying only on identifying exfiltration over the C2 channel itself.
- Tune investigations to distinguish legitimate mobile application traffic from suspicious patterns, recognizing that mobile app network behavior can create false positives.
- Document telemetry gaps explicitly so SOC leadership understands where direct exfiltration confirmation may not be possible.
Mitigation priorities
- Start with mobile asset governance: confirm which iOS devices are managed, monitored, and subject to enterprise controls.
- Ensure incident response playbooks cover iOS evidence collection, containment decisions, and escalation when exfiltration cannot be directly proven.
- Strengthen data protection and access controls so that mobile compromise does not automatically create broad data exposure.
- Use network, DNS, VPN, or secure web gateway controls where available to improve visibility into managed mobile traffic.
- Maintain audit-ready evidence of mobile monitoring limitations and compensating controls.
Analyst notes and limits
AN1672 is sparse by design: it states that Exfiltration Over C2 Channel on iOS may be difficult to detect and suggests focusing detection on other adversarial stages. The key decision value is to test whether the organization has enough mobile telemetry and process maturity to investigate suspected data loss even when direct C2 exfiltration evidence is limited.
This take is based only on the supplied ATT&CK fields. No official detection logic, tactics, relationships, aliases, or additional context were provided. Local architecture, iOS management posture, logging retention, and mobile network routing determine what can actually be detected or proven.
Analytic 1672
Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 066926d61c8c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1672Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.