Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0634: Detection of System Network Configuration Discovery

DET0634 is a mobile ATT&CK detection strategy for identifying System Network Configuration Discovery (T1422), where an adversary may seek network details s...

MobileDET0634Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0634 is a mobile ATT&CK detection strategy for identifying System Network Configuration Discovery (T1422), where an adversary may seek network details such as IP or MAC addresses from an Android or iOS device to guide follow-on activity. The business significance is not the discovery action alone, but what it can enable: better adversary situational awareness, targeting decisions, and movement toward higher-value systems or network paths.

Executive priority

Security leaders should treat this as a mobile visibility and readiness question: can the organization prove when managed mobile devices, apps, or processes access network configuration details in suspicious contexts? This matters for incident scoping, mobile threat hunting, audit evidence around device monitoring, and prioritizing controls for mobile endpoints that connect to sensitive corporate networks. Because the ATT&CK object does not provide a detection method, priority should be on validating telemetry and response procedures rather than assuming coverage exists.

Technical view

SOC and IR teams should map DET0634 to T1422 in the mobile domain and validate whether Android and iOS telemetry can show access to network configuration attributes such as IP or MAC address information, especially when performed by unusual apps, newly installed apps, or processes observed during broader discovery activity. Since no official detection logic is supplied, detection engineering should rely on local mobile device management, endpoint, application, and network evidence, tuned to distinguish expected OS/app behavior from suspicious discovery patterns.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance records
  • Mobile endpoint or mobile threat defense events, where available
  • Application permission, install, and runtime activity records
  • Device network state or interface metadata exposed through managed telemetry
  • Network access logs associated with mobile device connections

Detection direction

  • Confirm whether mobile telemetry captures access to or exposure of network configuration details; many environments may only collect inventory-level data, not behavioral access events.
  • Correlate network configuration discovery with surrounding mobile activity, such as new app installation, unusual permission use, other discovery behaviors, or suspicious network connections.
  • Tune carefully for false positives because legitimate system services, VPN clients, management agents, and enterprise applications may routinely read network configuration.
  • Use the relationship to T1422 as the analytic anchor; do not treat DET0634 as a complete rule because the official detection field is not provided.
  • Validate coverage separately for Android and iOS because available telemetry and control points differ by platform and management model.

Mitigation priorities

  • Ensure mobile devices that access corporate resources are enrolled in managed mobility controls where practical.
  • Limit corporate access from unmanaged or noncompliant mobile devices, especially for sensitive networks and applications.
  • Review mobile app permission governance and approved application baselines to reduce unnecessary access to device and network metadata.
  • Maintain incident response procedures for collecting mobile device evidence without relying solely on network perimeter logs.
  • Use this behavior to test whether mobile monitoring, SOC triage, and compliance evidence can support investigation of discovery activity.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description or detection text. The main usable context is its relationship to T1422, System Network Configuration Discovery, in the mobile ATT&CK domain, with related platforms Android and iOS. Recommendations are therefore framed as validation and coverage questions rather than as a specific detection rule.

No official detection logic, tactics, object-level platforms, aliases, or labels were supplied. The related technique description is partially truncated in the provided source, so conclusions are limited to the stated relationship and visible technique summary. Local telemetry, mobile management architecture, and app baseline data are required to determine practical coverage.

Official MITRE ATT&CK definition

Detection of System Network Configuration Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1422 System Network Configuration Discovery This object detects System Network Configuration Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1422: System Network Configuration Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5d68b7b677dbc335...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5d68b7b677db…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0634
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use