DET0620: Detection of Web Protocols
DET0620 is a mobile ATT&CK detection strategy for identifying use of web protocols associated with the related Web Protocols technique (T1437.001). The bus...
Analyst context for executives and security teams
DET0620 is a mobile ATT&CK detection strategy for identifying use of web protocols associated with the related Web Protocols technique (T1437.001). The business issue is that HTTP/HTTPS-style traffic is expected in mobile environments, so malicious command-and-control or remote tasking can be difficult to distinguish from normal app, browser, or notification-service activity without strong network and mobile context.
Executive priority
Treat this as a visibility and decision-readiness problem, not just a network alerting problem. Leaders should ask whether mobile traffic from Android and iOS devices can be reviewed with enough context to support incident response, policy enforcement, and audit evidence. Priority should go to confirming telemetry coverage, ownership of mobile network logs, and escalation paths for suspicious web-protocol communications that blend into normal business traffic.
Technical view
The supplied ATT&CK object has no official detection text, tactics, or platforms of its own, but it detects the mobile technique T1437.001, whose related platforms are Android and iOS. SOC and detection teams should validate whether they can baseline and investigate mobile-originated HTTP/HTTPS or related web-protocol communications, especially where commands or results may be embedded in client-server traffic. Detection should rely on correlation and context rather than protocol presence alone, because web traffic and mobile notification services are common and high-volume.
Likely telemetry
- Mobile network connection metadata for HTTP/HTTPS and related web-protocol traffic
- DNS query and resolution logs associated with mobile devices or mobile network segments
- Proxy, secure web gateway, firewall, or network security logs covering mobile traffic paths
- TLS/certificate metadata where collected and permitted
- MDM/EMM device and application inventory context for Android and iOS devices
Detection direction
- Confirm whether mobile device web-protocol traffic is actually visible across managed, unmanaged, on-premises, remote, and cellular paths.
- Tune detections around unusual destinations, timing, volume, user/device context, or application context rather than simple HTTP/HTTPS usage.
- Correlate network indicators with mobile device inventory and known application behavior to reduce false positives from normal apps and notification services.
- Identify blind spots where encrypted traffic, direct-to-internet mobile connectivity, personal devices, or limited mobile logging prevents investigation.
- Document what evidence would be available to incident responders if suspicious web-protocol communications were observed.
Mitigation priorities
- Establish mobile traffic visibility requirements before relying on this detection strategy.
- Use mobile device management and application inventory controls to provide device, user, and app context for investigations.
- Apply network egress controls and monitoring appropriate to managed mobile devices and approved traffic paths.
- Maintain incident response procedures for triaging suspicious mobile web-protocol communications, including evidence preservation and device ownership validation.
- Use the gap assessment as compliance evidence for mobile monitoring, acceptable use, and incident response readiness where applicable.
Analyst notes and limits
This take is based on the detection strategy object DET0620 and its relationship to T1437.001 Web Protocols in the mobile ATT&CK domain. Because the object itself does not provide official detection logic, tactics, or platform fields, the practical guidance is framed around validating visibility and investigation readiness for the related Android and iOS technique.
MITRE supplied no official description or detection text for DET0620, and the detection strategy object has no specified platforms or tactics. Local architecture, mobile management model, encryption handling, privacy requirements, and available network telemetry are required to determine real detection coverage.
Detection of Web Protocols
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1437.001 | Web Protocols Sub-technique | This object detects Web Protocols. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6c5bea40f9f0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0620Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.