Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1818: Analytic 1818

Exfiltration Over Unencrypted Non-C2 Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

MobileAN1818AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic highlights a practical gap for Android mobile defense: exfiltration over unencrypted, non-command-and-control protocols may be hard to detect directly. The business value is not in assuming this analytic provides coverage, but in recognizing that mobile data-loss risk may need to be managed through earlier-stage detection, stronger mobile telemetry, and validation of where sensitive data can leave the device.

Executive priority

Treat this as a coverage and assurance question for mobile risk management. Leaders should ask whether Android devices that handle business data produce enough network, application, and device-management evidence to support incident decisions, compliance evidence, and data-loss investigations. Because the official ATT&CK text says this behavior can be difficult to detect and suggests focusing on other adversary stages, priority should go to confirming preventive controls, upstream detections, and incident response playbooks rather than relying on a single exfiltration alert.

Technical view

For SOC, detection engineering, and IR teams, this object should drive validation of Android mobile telemetry and adjacent detections related to Exfiltration Over Unencrypted Non-C2 Protocol. No official detection logic or tactic mapping is supplied, so teams should not treat AN1818 as a ready-to-implement rule. Instead, verify whether mobile network flows, DNS, application activity, MDM/UEM events, and device compliance signals are available and correlated with earlier suspicious behavior. Detection content should be tested for visibility gaps around non-C2 traffic and for false positives from legitimate mobile applications using unencrypted protocols.

Likely telemetry

  • Android device management or UEM/MDM compliance events
  • Mobile network connection or flow metadata where available
  • DNS or destination metadata associated with Android devices
  • Application inventory, install, permission, and activity signals
  • Proxy, secure web gateway, firewall, or mobile security gateway logs if Android traffic is routed through them

Detection direction

  • Do not assume direct exfiltration detection is reliable; the official description explicitly notes difficulty and recommends focusing on other adversarial stages.
  • Validate whether Android traffic visibility exists for unmanaged, off-network, split-tunnel, or cellular scenarios, because these are common mobile telemetry blind spots.
  • Tune analytics to distinguish suspicious unencrypted non-C2 data movement from expected application behavior, updates, telemetry, and user-driven file transfers.
  • Use this analytic as a prompt to map upstream mobile detections and response decision points, since no official detection logic or relationships are supplied.
  • Confirm alert context includes device owner, application, destination, data sensitivity, and device compliance state where locally available.

Mitigation priorities

  • Prioritize mobile data governance: know which Android devices and applications can access sensitive business data.
  • Strengthen mobile management baselines, including device compliance, application control, and policy enforcement appropriate to the organization.
  • Improve routing and logging of mobile traffic where feasible so SOC and IR teams can investigate suspected data movement.
  • Invest in detections for earlier adversary behavior on Android devices, consistent with the ATT&CK note that direct detection of this exfiltration behavior may be difficult.
  • Document mobile telemetry limitations for audit, incident response planning, and risk acceptance decisions.
Analyst notes and limits

AN1818 is a mobile ATT&CK detection analytic for Android tied in its description to Exfiltration Over Unencrypted Non-C2 Protocol. The supplied object contains no official detection procedure, no tactics, and no relationship context, so the main decision value is coverage validation and control prioritization rather than implementation of a specific analytic.

This take is limited to the supplied STIX fields, MITRE external reference, and the official description. No active exploitation, attribution, detection efficacy, specific tools, or enterprise exposure can be inferred. Local architecture, Android management model, network routing, and logging determine whether meaningful detection or investigation is possible.

Official MITRE ATT&CK definition

Analytic 1818

Exfiltration Over Unencrypted Non-C2 Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2d74708cb6061cb9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2d74708cb606…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1818
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use