Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0615: Detection of Exfiltration Over C2 Channel

DET0615 is a mobile ATT&CK detection strategy for identifying data theft that is hidden inside an existing command-and-control channel. For leaders, the ke...

MobileDET0615Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0615 is a mobile ATT&CK detection strategy for identifying data theft that is hidden inside an existing command-and-control channel. For leaders, the key issue is that exfiltration may not look like a separate file-transfer event; it may blend into the same mobile network communications already used by malware for control. This makes mobile visibility, network telemetry, and incident response scoping important for determining whether a compromised Android or iOS device only received commands or also leaked business data.

Executive priority

Prioritize this as a data-loss and incident-decisioning concern for mobile environments. Security leaders should ask whether the organization can distinguish routine mobile traffic, command-and-control activity, and possible data exfiltration over the same channel. The decision value is strongest for managed detection, mobile incident response, privacy/compliance evidence, and executive breach assessment, because confirming or ruling out exfiltration affects notification, legal, and business-continuity decisions.

Technical view

The supplied ATT&CK object has no official detection text and no platforms listed on the detection strategy itself. Its relationship detects mobile technique T1646, Exfiltration Over C2 Channel, which applies to Android and iOS and describes stolen data being encoded into normal command-and-control communications. SOC and IR teams should therefore validate whether mobile network telemetry, proxy/DNS/VPN logs, endpoint or MDM/EMM signals, and incident artifacts can reveal unusual volume, frequency, destination, encoding, or session behavior associated with suspected C2 communications. Detection engineering should focus on differentiating benign mobile app traffic from established malicious or suspicious channels, while avoiding assumptions that a separate exfiltration protocol will be visible.

Likely telemetry

  • Mobile network connection metadata from Android and iOS environments where available
  • Proxy, secure web gateway, VPN, firewall, and DNS logs associated with mobile devices
  • MDM/EMM or mobile threat defense alerts and device posture records
  • Application inventory, installation, and permission-related mobile management data
  • Incident response packet captures or flow records when available

Detection direction

  • Validate that mobile traffic can be tied back to a user, device, application, and time window; without this, exfiltration assessment may be inconclusive.
  • Look for changes in volume, cadence, destination, or encoding patterns within already suspicious C2-like communications rather than relying only on obvious file-transfer indicators.
  • Tune for false positives from legitimate mobile apps that maintain persistent encrypted connections, synchronize data, or use background messaging.
  • Correlate network indicators with mobile management, application, and device state telemetry to separate expected enterprise app behavior from suspicious channels.
  • Use the relationship to T1646 as scope guidance: the relevant environment is mobile, specifically Android and iOS, but the detection strategy itself does not provide detailed analytics or platform-specific logic.

Mitigation priorities

  • Establish mobile visibility first: inventory managed mobile devices, users, applications, and network paths used by Android and iOS devices.
  • Ensure mobile traffic logs needed for investigations are retained and can be correlated with identity and device ownership.
  • Limit unmanaged or untrusted mobile access to sensitive enterprise data where feasible, because exfiltration assessment is weaker without device and traffic context.
  • Use mobile security controls, application governance, and least-privilege access to reduce the amount of sensitive data available to a compromised device.
  • Prepare IR playbooks for suspected mobile C2 that include data-loss assessment, evidence preservation, user/device containment, and compliance escalation criteria.
Analyst notes and limits

This Glexia take is based on a sparse ATT&CK detection-strategy object. The object name and relationship to T1646 provide the main analytic context: detection of mobile exfiltration over an existing C2 channel. Because no official detection description, tactic list, or platform list is present on DET0615 itself, recommendations are framed as validation questions and telemetry requirements rather than confirmed detection logic.

No official description or detection guidance was supplied for DET0615, and the detection strategy lists no platforms or tactics. Android and iOS are included only because the related technique T1646 lists those platforms. Local architecture, mobile management coverage, encryption visibility, log retention, and legal/privacy constraints will determine practical detection and response capability.

Official MITRE ATT&CK definition

Detection of Exfiltration Over C2 Channel

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1646 Exfiltration Over C2 Channel This object detects Exfiltration Over C2 Channel.
Relationship explorer

All related ATT&CK context

detects · Technique T1646: Exfiltration Over C2 Channel Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
db0ee0251dcd937c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle db0ee0251dcd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0615
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use