AN1813: Analytic 1813
Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
Analyst context for executives and security teams
This analytic is a mobile ATT&CK detection note for Android indicating that exfiltration over alternative protocols can be difficult to detect directly. The practical takeaway is that leaders should not assume network monitoring alone will reliably expose this behavior; mobile defense programs may need to prioritize earlier-stage indicators, device posture, app behavior visibility, and incident response readiness around suspicious data access and movement.
Executive priority
For executives and security leaders, the decision value is coverage realism. If Android devices are in scope for business operations, sensitive data access, or compliance obligations, teams should be able to explain what evidence exists before data leaves the device, not only whether exfiltration traffic can be identified. This supports budget and control prioritization toward mobile telemetry, managed detection validation, incident response playbooks, and compliance evidence for monitoring and data protection controls.
Technical view
For SOC, detection engineering, and IR teams, this object provides limited analytic detail but a clear defensive direction: direct detection of Exfiltration Over Alternative Protocol on Android may be unreliable, so validate detection coverage across adjacent behaviors and earlier phases of activity. Teams should review whether Android telemetry can show suspicious app behavior, unusual data access, abnormal network destinations or protocols, and device or application events that precede potential exfiltration. Because no ATT&CK tactic, analytic logic, or relationships are supplied, local environment baselining is required before converting this into alert logic.
Likely telemetry
- Android device management or mobile device management security events
- Mobile application behavior and permission telemetry
- Android network connection metadata where available
- Proxy, DNS, firewall, or secure web gateway logs for mobile-originated traffic
- Endpoint or mobile threat defense alerts for suspicious app activity
Detection direction
- Do not rely solely on detecting the final exfiltration protocol; validate visibility into earlier suspicious mobile behaviors.
- Baseline normal Android application network activity to reduce false positives from legitimate alternative protocols or app-specific communications.
- Confirm whether mobile traffic is observable when devices are off corporate networks, using VPN, or communicating directly to cloud services.
- Correlate mobile device, application, identity, and network evidence where available rather than treating network events in isolation.
- Document detection gaps explicitly because the official ATT&CK object does not provide detection logic or relationships.
Mitigation priorities
- Prioritize mobile inventory, device enrollment, and posture enforcement for Android devices that access enterprise data.
- Limit sensitive data exposure on mobile devices through access policy, application control, and least-privilege data access where supported by existing architecture.
- Improve mobile logging and centralized retention before attempting high-confidence exfiltration detection.
- Prepare IR procedures for suspected mobile data movement, including device triage, account review, and containment decision points.
- Use this analytic as a coverage gap prompt for managed detection, mobile security, and compliance readiness reviews rather than as a standalone detection rule.
Analyst notes and limits
The supplied ATT&CK object is an analytic reference, AN1813, in the mobile-attack domain for Android. Its official description states that Exfiltration Over Alternative Protocol can be difficult to detect and that enterprises may be better served focusing on other stages of adversarial behavior. No relationship context, detection logic, tactics, aliases, or labels were supplied.
This take is constrained by sparse official fields. It does not establish active exploitation, actor usage, business impact, or guaranteed detection coverage. Any operational detection or mitigation plan requires local Android fleet details, mobile telemetry availability, network architecture, data sensitivity, and enterprise access patterns.
Analytic 1813
Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d8a7aa52d917… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1813Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.