Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0672: Detection of Web Service

DET0672 is a mobile ATT&CK detection strategy placeholder for detecting use of legitimate external web services as command-and-control relay infrastructure...

MobileDET0672Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0672 is a mobile ATT&CK detection strategy placeholder for detecting use of legitimate external web services as command-and-control relay infrastructure. The business issue is that this behavior can blend into normal mobile app and user traffic, making simple allow/deny decisions around popular web services difficult. For leaders, the value is in validating whether mobile, network, and cloud-facing monitoring can distinguish expected use of common services from suspicious relay behavior without disrupting business operations.

Executive priority

Prioritize this as a resilience and monitoring-coverage question rather than a single-signature detection item. Because the related technique applies to Android and iOS and involves legitimate web services, executives should ask whether mobile device visibility, network egress monitoring, incident response playbooks, and compliance evidence can support investigations where traffic appears to go to trusted or commonly used providers. This is especially relevant where mobile devices access sensitive business data or where unmanaged mobile usage creates gaps in SOC visibility.

Technical view

The supplied ATT&CK object has no official detection text, platforms, or tactics, but it detects mobile technique T1481 Web Service, which covers adversary use of legitimate external web services to relay data to or from a compromised system. SOC and detection teams should validate visibility for Android and iOS traffic to common web services, focusing on whether telemetry can show application identity, destination domain or service, timing, volume, user or device context, and deviations from normal behavior. Detection engineering should avoid assuming that traffic to popular providers is benign and should tune for suspicious patterns in otherwise expected services.

Likely telemetry

  • Mobile device management or mobile threat defense inventory and security events, where available
  • Network egress logs, DNS logs, proxy logs, firewall logs, or secure web gateway records for mobile device traffic
  • TLS/SNI, destination domain, destination IP, URL category, and connection metadata where policy and architecture allow collection
  • Mobile application inventory, app reputation, installation source, and permission context
  • Identity and access logs that tie mobile activity to users, devices, and managed versus unmanaged access

Detection direction

  • Validate whether traffic to legitimate web services is logged with enough device, user, application, and destination context to support triage.
  • Baseline normal mobile use of common web services before alerting on volume, frequency, timing, or unusual destination patterns to reduce false positives.
  • Correlate web-service traffic with mobile device posture, app inventory, identity events, and recent security alerts rather than relying on destination reputation alone.
  • Treat trusted or popular service providers as a blind spot if monitoring only flags known-malicious infrastructure.
  • Confirm whether unmanaged mobile devices, privacy controls, encrypted traffic, or split-tunnel network paths limit SOC visibility.

Mitigation priorities

  • Establish or improve mobile device management and device posture governance for Android and iOS environments where business data is accessed.
  • Define acceptable-use and access policies for mobile applications and external web services based on business need and risk.
  • Ensure egress, DNS, proxy, or secure web gateway logging is retained and usable for mobile incident response where legally and operationally appropriate.
  • Integrate mobile telemetry with identity and SOC workflows so suspicious web-service use can be tied to a user, device, and application context.
  • Document investigation procedures and evidence sources for cases where legitimate web services may be used as relay infrastructure.
Analyst notes and limits

This take is based on ATT&CK detection strategy DET0672 and its relationship to T1481 Web Service in the mobile domain. The source object itself provides no official description or detection guidance, so recommendations are conservative and derived from the related technique description and supported Android/iOS relationship context.

ATT&CK does not provide platform, tactic, description, or detection text for DET0672 in the supplied fields. Local architecture determines whether mobile traffic, application identity, DNS, proxy, and identity telemetry are available. This summary does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of Web Service

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1481 Web Service This object detects Web Service.
Relationship explorer

All related ATT&CK context

detects · Technique T1481: Web Service Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
03e0a90982fa61d2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 03e0a90982fa…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0672
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use