Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1828: Analytic 1828

The defender correlates managed-app or supervised-device outbound sessions where protocol indicators such as TLS handshake, HTTP semantics, or other application-layer behaviors are observed over destination ports outside the approved baseline for that protocol and bundle role. The strongest iOS evidence is network telemetry showing repeated or persistent sessions using recognizable application protocols over uncommon ports, particularly during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime attribution is weaker than Android, the primary iOS analytic should be anchored on network protocol-versus-port mismatch plus supervised managed-app context and device-state enrichment.

MobileAN1828AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting iOS managed apps or supervised devices that appear to use recognizable network protocols on ports that do not match the organization’s approved baseline. For leaders, the value is not the port mismatch alone; it is whether mobile network monitoring, device management context, and device-state data are good enough to distinguish suspicious background communications from normal app behavior.

Executive priority

Prioritize this as a mobile security and managed-device visibility question. If the organization relies on supervised iOS devices or managed apps for sensitive business workflows, leaders should ask whether security teams can prove what network behavior is expected by app role, protocol, and destination port. This can support incident triage, mobile policy validation, and compliance evidence, but it requires environment-specific baselines and telemetry rather than assuming ATT&CK provides a ready-made detection.

Technical view

For SOC and detection engineering teams, validate whether network telemetry can identify protocol-versus-port mismatches for iOS managed-app or supervised-device sessions. The supplied analytic emphasizes TLS handshake indicators, HTTP semantics, or other application-layer behaviors observed on destination ports outside an approved baseline. Stronger evidence comes from repeated or persistent sessions, especially during background refresh, while the device is locked, or without recent user interaction. Because the object notes weaker direct local runtime attribution on iOS than Android, detections should be anchored on network observations enriched with supervised-device, managed-app, and device-state context.

Likely telemetry

  • Outbound network session metadata from supervised iOS devices
  • Application-layer protocol indicators such as TLS handshake characteristics or HTTP semantics
  • Destination port and destination endpoint information
  • Managed-app or device supervision context from mobile management systems
  • Device-state enrichment such as locked state, background refresh, or recent user interaction where available

Detection direction

  • Build or validate baselines for approved protocol-to-port usage by managed app and bundle role before alerting on mismatches.
  • Prioritize repeated or persistent protocol-versus-port mismatches over one-off sessions to reduce noise.
  • Correlate network observations with device supervision, managed-app status, and device-state indicators when available.
  • Treat attribution to a specific local iOS runtime component cautiously, because the supplied analytic states direct local runtime attribution is weaker on iOS.
  • Review false positives from legitimate apps, proxy behavior, nonstandard service configurations, and changing SaaS/CDN network patterns.

Mitigation priorities

  • Define approved network behavior baselines for supervised iOS devices and managed apps by protocol, port, and business role.
  • Ensure mobile management inventory and supervised-device context can enrich network detections.
  • Improve collection of outbound mobile network telemetry capable of distinguishing protocol behavior from destination port alone.
  • Use detection outcomes to refine mobile app governance, network policy exceptions, and incident response playbooks.
  • Maintain evidence of baseline decisions and detection limitations for audit and compliance readiness.
Analyst notes and limits

No ATT&CK tactics, relationships, or official detection logic were supplied. This take therefore treats AN1828 as a detection analytic for iOS network behavior, not as evidence of a specific adversary campaign or technique relationship. Local baselining is essential because the analytic depends on what ports and protocols are approved for each managed app or device role.

The object provides a description but no official detection implementation and no relationship context. It supports iOS only. It does not support claims about active exploitation, attribution, business impact, or guaranteed detection coverage. Effectiveness depends on available network, mobile management, and device-state telemetry in the local environment.

Official MITRE ATT&CK definition

Analytic 1828

The defender correlates managed-app or supervised-device outbound sessions where protocol indicators such as TLS handshake, HTTP semantics, or other application-layer behaviors are observed over destination ports outside the approved baseline for that protocol and bundle role. The strongest iOS evidence is network telemetry showing repeated or persistent sessions using recognizable application protocols over uncommon ports, particularly during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime attribution is weaker than Android, the primary iOS analytic should be anchored on network protocol-versus-port mismatch plus supervised managed-app context and device-state enrichment.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
5609322f4687d7ae...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 5609322f4687…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1828
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use