Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0624: Detection of Remote Access Software

DET0624 is a mobile ATT&CK detection strategy for identifying remote access software associated with technique T1663. The business issue is not that all re...

MobileDET0624Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0624 is a mobile ATT&CK detection strategy for identifying remote access software associated with technique T1663. The business issue is not that all remote access tools are malicious; it is that legitimate tools such as VNC, TeamViewer, AirDroid, or AirMirror can provide interactive access to mobile devices and may be used after compromise as an alternate command-and-control channel. For security leaders, this makes mobile application visibility, approved-tool governance, and incident triage evidence important controls rather than optional endpoint hygiene.

Executive priority

Prioritize this where mobile devices have access to sensitive data, privileged workflows, executive communications, regulated information, or operational systems. Leaders should ask whether the organization can distinguish approved remote support from unexpected remote-control capability on Android and iOS devices, and whether mobile evidence is available during an incident. The decision value is in reducing blind spots around legitimate software abuse, supporting audit evidence for mobile control enforcement, and improving IR readiness when remote interactive access is suspected.

Technical view

SOC and IR teams should validate visibility for installed mobile applications, remote access app presence, device management state, and network activity associated with remote-control sessions. Because the ATT&CK object provides no official detection logic or platform field, coverage should be derived from the relationship to T1663, which applies to Android and iOS. Detection engineering should focus on policy exceptions and context: approved remote support tools, user/device ownership, enrollment status, timing of installation, unusual persistence of remote access apps, and connections inconsistent with normal support workflows.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory
  • Installed application lists and application reputation/classification data
  • Mobile security telemetry from Android and iOS devices where available
  • App installation, removal, update, and permission-change events
  • Network connection metadata from mobile devices or secure access gateways

Detection direction

  • Create an allowlist of sanctioned mobile remote access tools and alert on unapproved tools or unexpected variants.
  • Correlate remote access app installation with support tickets, user role, device ownership, and recent security events to reduce false positives.
  • Treat legitimate remote access software as dual-use; detections should emphasize unauthorized use, anomalous timing, unmanaged devices, or high-risk users rather than tool name alone.
  • Validate whether Android and iOS telemetry is actually available; many organizations have weaker visibility on personal, unmanaged, or partially managed mobile devices.
  • Use the relationship to T1663 as context for incident triage: remote access software may represent an alternate or redundant interactive access channel after compromise.

Mitigation priorities

  • Define and enforce a mobile remote access software policy, including approved tools, approved use cases, and authorization requirements.
  • Use mobile device management controls to inventory applications and restrict or flag unapproved remote access applications where feasible.
  • Require documented support workflows so SOC teams can separate approved remote assistance from suspicious remote access.
  • Strengthen mobile incident response procedures to include app inventory review, network activity review, and device compliance status.
  • Review exceptions regularly for executives, privileged users, and devices accessing sensitive business systems.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description, detection text, tactics, or platforms. The practical guidance above is therefore anchored to the stated relationship: DET0624 detects mobile technique T1663, Remote Access Software, which lists Android and iOS and describes adversary use of legitimate remote access applications for interactive command and control or redundant access.

This take does not assert active exploitation, specific adversary use, guaranteed detection, or complete coverage. Local mobile management architecture, BYOD policy, logging depth, approved support tooling, and privacy constraints will determine what can actually be detected and investigated.

Official MITRE ATT&CK definition

Detection of Remote Access Software

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1663 Remote Access Software This object detects Remote Access Software.
Relationship explorer

All related ATT&CK context

detects · Technique T1663: Remote Access Software Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
403d8a74aed85083...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 403d8a74aed8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0624
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use