Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0608: Detection of Generate Traffic from Victim

DET0608 is a mobile ATT&CK detection strategy associated with detecting Generate Traffic from Victim (T1643). The business issue is that compromised or abu...

MobileDET0608Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0608 is a mobile ATT&CK detection strategy associated with detecting Generate Traffic from Victim (T1643). The business issue is that compromised or abusive mobile apps can cause devices to send outbound SMS or web traffic that may create direct cost, fraud exposure, app-store manipulation risk, customer trust issues, and incident-response uncertainty. Because the detection strategy itself has no official description or detection logic, its practical value is as a prompt to verify whether mobile security, network, billing, and application telemetry can show unusual outbound traffic behavior from Android and iOS devices.

Executive priority

Treat this as a mobile fraud and abuse readiness question rather than a fully specified detection rule. Leaders should ask whether the organization can identify suspicious outbound mobile traffic, especially SMS-related activity and abnormal web traffic, and whether incident teams have access to the billing, mobile device, network, and app evidence needed to assess financial or reputational exposure. Priority is higher for organizations managing mobile apps, enterprise mobile fleets, carrier-billed workflows, or environments where mobile device activity can affect customer trust, fraud losses, or compliance evidence.

Technical view

The supplied ATT&CK relationship says DET0608 detects T1643, where adversaries may generate outbound traffic from Android or iOS devices, commonly SMS messages or general web traffic. For Android, the related technique notes that SMS generation may require the SEND_SMS permission, and premium SMS may require user consent. SOC and detection engineering teams should validate whether they can observe anomalous outbound SMS volume, unusual recipients or premium-number patterns where available, abnormal mobile web request volume, and suspicious app permission behavior. Because the detection strategy has no official detection text, local baselining and environment-specific thresholds are required.

Likely telemetry

  • Mobile device management or mobile threat defense events where deployed
  • Android app permission inventory, especially SEND_SMS where available
  • SMS activity metadata such as volume, destination category, timing, and billing indicators where legally and operationally available
  • Mobile network, proxy, DNS, or web traffic metadata for managed devices or managed apps
  • Application telemetry for unusual outbound request volume or automated interaction patterns

Detection direction

  • Validate visibility first: the ATT&CK object provides no official detection logic, so confirm what telemetry exists for Android and iOS before claiming coverage.
  • Baseline normal outbound SMS and mobile web activity by device group, app, geography, business role, and time of day where privacy and policy allow.
  • Correlate abnormal outbound traffic with app installs, app updates, permission grants, device posture changes, and user complaints.
  • For Android, review whether apps with SEND_SMS permission are expected and whether SMS behavior aligns with business need.
  • Tune for false positives from legitimate messaging apps, MFA workflows, customer-support tools, marketing apps, travel behavior, and high-volume business processes.

Mitigation priorities

  • Inventory mobile use cases where outbound SMS or automated web traffic could create cost, fraud, or reputational risk.
  • Restrict or review high-risk mobile app permissions and app sources according to enterprise policy, especially SMS-related permissions on Android.
  • Use managed mobile controls where appropriate to enforce approved apps, device posture requirements, and visibility for enterprise data access.
  • Establish escalation paths between SOC, mobile administrators, fraud/billing teams, application owners, and incident response for suspicious outbound traffic cases.
  • Maintain audit-ready evidence showing what mobile telemetry is collected, what privacy constraints apply, and how anomalous traffic investigations are handled.
Analyst notes and limits

This take is based on the official detection strategy metadata and its relationship to T1643 Generate Traffic from Victim. The strategy object itself does not include platforms, tactics, description, or detection guidance; Android and iOS context comes from the related technique. Detection engineering should therefore be driven by local mobile architecture, privacy requirements, device ownership model, and available carrier/network/app telemetry.

No official detection text, tactic mapping, or platform list is supplied for DET0608. The related technique description is partially truncated in the provided source. This summary does not establish active exploitation, attribution, prevalence, or guaranteed detectability.

Official MITRE ATT&CK definition

Detection of Generate Traffic from Victim

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1643 Generate Traffic from Victim This object detects Generate Traffic from Victim.
Relationship explorer

All related ATT&CK context

detects · Technique T1643: Generate Traffic from Victim Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3f9a6b2156954a83...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3f9a6b215695…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0608
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use