Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0610: Detection of One-Way Communication

DET0610 is a mobile ATT&CK detection strategy for identifying one-way command communication: a compromised Android or iOS system may retrieve commands from...

MobileDET0610Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0610 is a mobile ATT&CK detection strategy for identifying one-way command communication: a compromised Android or iOS system may retrieve commands from legitimate external web services without sending results back over the same channel. For leaders, the risk is that command activity can blend into normal web and social-service traffic, making incident scoping and control assurance harder if mobile egress telemetry is weak.

Executive priority

Prioritize this as a resilience and visibility question: can the organization prove how managed mobile devices access external web services, and can the SOC distinguish normal app traffic from command retrieval patterns? This matters for mobile incident response readiness, acceptable-use and compliance evidence, and decisions about whether web access controls, mobile security telemetry, and logging coverage are sufficient for high-risk users or operations.

Technical view

The supplied ATT&CK object has no official detection text, but it detects technique T1481.003, One-Way Communication, in the mobile domain with Android and iOS listed on the related technique. SOC and IR teams should validate whether they can observe mobile devices retrieving content from external web services in patterns consistent with command polling, especially where there is little or no response output on the same channel or where output may use a different channel. Detection work should focus on correlation across mobile device inventory, network egress, DNS/web logs, and any mobile endpoint or app telemetry available in the local environment.

Likely telemetry

  • Mobile device inventory and ownership context for Android and iOS assets
  • Network egress logs for managed mobile devices
  • DNS resolution logs for mobile-originated traffic
  • Proxy, secure web gateway, firewall, or web access logs where mobile traffic is routed through them
  • Mobile endpoint security or device management telemetry, if deployed

Detection direction

  • Validate that mobile traffic to legitimate external web services is actually visible; many environments lose visibility when devices are off-network or using unmanaged applications.
  • Look for recurring content retrieval or polling patterns from mobile devices that do not have a clear business or application explanation.
  • Correlate suspected one-way command retrieval with any separate outbound channel, because the related technique notes that output may be returned through a different C2 channel or not returned at all.
  • Baseline common mobile app and web-service behavior to reduce false positives from normal push, sync, feed, and background refresh activity.
  • Tune detections with asset criticality, user role, device management state, and destination reputation/context rather than relying only on domain popularity.

Mitigation priorities

  • Confirm which Android and iOS devices are managed, monitored, and subject to web access policy before investing in advanced analytics.
  • Route managed mobile web traffic through logging and policy enforcement points where feasible and consistent with business requirements.
  • Define acceptable use of external web services from mobile devices, especially for privileged users, sensitive operations, or regulated environments.
  • Use mobile security, device management, or equivalent controls to limit unmanaged applications and risky network behavior where supported by the environment.
  • Maintain incident response playbooks that account for command retrieval from legitimate web services and possible separate channels for any returned output.
Analyst notes and limits

This take is based on the official detection-strategy object DET0610 and its relationship to mobile technique T1481.003, One-Way Communication. The detection strategy itself does not include an official description, platform list, tactics, or detection logic, so the practical guidance is derived conservatively from the related technique description and the Android/iOS platforms listed on that related technique.

ATT&CK provides no official detection procedure, data sources, analytics, mitigations, or tactic mapping for this detection-strategy object in the supplied fields. Local architecture determines feasibility: visibility differs significantly for managed versus unmanaged mobile devices, on-network versus off-network use, and whether mobile traffic is inspected or logged. This does not establish active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of One-Way Communication

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1481.003 One-Way Communication Sub-technique This object detects One-Way Communication.
Relationship explorer

All related ATT&CK context

detects · Technique T1481.003: One-Way Communication Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
78ca50d1a9a30e30...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 78ca50d1a9a3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0610
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use