Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0663: Detection of Exploitation of Remote Services

DET0663 is a mobile ATT&CK detection strategy for identifying possible exploitation of remote services associated with T1428. Its business significance is...

MobileDET0663Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0663 is a mobile ATT&CK detection strategy for identifying possible exploitation of remote services associated with T1428. Its business significance is that a mobile device with internal network or VPN access can become a bridge into enterprise resources if attackers abuse reachable services or vulnerabilities. For leaders, the key question is not whether this specific strategy guarantees coverage, but whether the organization can see mobile-to-enterprise access paths well enough to investigate suspicious remote service use quickly.

Executive priority

Prioritize this as an operational resilience and access-risk issue: mobile connectivity to internal services can affect identity, VPN, vulnerability management, SOC triage, and incident response decisions. Executives should ask which internal services are reachable from Android and iOS devices, how VPN/mobile access is logged, whether exploitable remote services are prioritized for remediation, and whether audit evidence can show monitoring of mobile-originated access to sensitive systems.

Technical view

Because the detection strategy has no official detection text and no platform field of its own, SOC and detection teams should anchor validation to the related mobile technique T1428, which applies to Android and iOS and describes exploitation of remote services through local enterprise connectivity or VPN access. Validate visibility across mobile device network access, VPN sessions, authentication events, service-side logs, vulnerability exposure, and incident response artifacts. Focus on whether teams can correlate a mobile device or user session with unusual access to internal servers, workstations, or services that should not normally be reached from mobile contexts.

Likely telemetry

  • VPN connection and session logs tied to user, device, source address, time, and internal destinations
  • Mobile device management or enterprise mobility inventory showing Android and iOS device identity and network posture
  • Authentication and authorization logs for internal services accessed from mobile-associated networks or VPN pools
  • Server, workstation, and remote service logs for inbound connections, failures, exploitation indicators, or anomalous requests
  • Network flow, proxy, firewall, or zero trust access logs showing mobile-to-internal service paths

Detection direction

  • Map which remote services are reachable from mobile devices through local connectivity and VPN; detection cannot be validated without this access-path inventory.
  • Correlate mobile/VPN session context with internal service access rather than reviewing service logs in isolation.
  • Tune for abnormal service access from mobile-associated networks, such as unusual destinations, new services for a user/device, repeated failures, or access to vulnerable services.
  • Use vulnerability and asset context to prioritize alerts involving remote services known to be exposed to mobile/VPN access paths.
  • Account for false positives from legitimate administrative tools, mobile productivity workflows, VPN roaming, and managed device posture changes.

Mitigation priorities

  • Reduce unnecessary mobile and VPN reachability to internal remote services using least-privilege access paths and segmentation.
  • Prioritize remediation of vulnerabilities in remote services that are reachable from mobile devices or VPN-connected users.
  • Require strong identity, device posture, and authorization controls before granting mobile access to internal resources.
  • Ensure logging is enabled and retained for VPN, mobile management, authentication, network flow, and target service activity.
  • Document investigation playbooks for suspected mobile-originated access to internal services, including how to identify the user, device, session, target asset, and vulnerability context.
Analyst notes and limits

The available ATT&CK object is a detection strategy with no official description or detection content. The practical interpretation comes from its relationship to T1428, Exploitation of Remote Services, in the mobile domain. Local architecture matters: detection value depends on whether Android and iOS devices can reach internal resources through VPN or local enterprise connectivity and whether logs can connect device, identity, network session, and target service activity.

Platforms and tactics are not specified on DET0663 itself, and no official detection logic is provided. Android and iOS are supported only through the related T1428 technique. This take does not assert active exploitation, actor attribution, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of Exploitation of Remote Services

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1428 Exploitation of Remote Services This object detects Exploitation of Remote Services.
Relationship explorer

All related ATT&CK context

detects · Technique T1428: Exploitation of Remote Services Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e52adfde1ba5c81c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e52adfde1ba5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0663
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use