DET0696: Detection of Network Service Scanning
DET0696 is a mobile ATT&CK detection strategy for identifying network service scanning behavior associated with T1423. The business relevance is that a mob...
Analyst context for executives and security teams
DET0696 is a mobile ATT&CK detection strategy for identifying network service scanning behavior associated with T1423. The business relevance is that a mobile device with local network or VPN access can become a vantage point for discovering internal services that may later be targeted. For leaders, this is less about a single alert and more about proving whether mobile-connected network activity is visible enough to support incident response and network exposure decisions.
Executive priority
Prioritize this as a visibility and resilience question: can the organization see when Android or iOS-connected devices are probing internal services, especially over VPN or local enterprise connectivity? This matters for incident triage, vulnerability prioritization, and compliance evidence because service discovery from mobile access paths can reveal gaps between mobile device management, VPN monitoring, network logging, and SOC workflows.
Technical view
MITRE provides no official description or detection logic for DET0696, but the relationship states that it detects T1423 Network Service Scanning in the mobile domain. SOC and detection teams should validate whether they can correlate mobile device identity, VPN session context, source IP, destination hosts, ports, and connection patterns consistent with port or vulnerability scanning. Detection engineering should focus on mobile-originated or mobile-associated network flows to internal services, while accounting for legitimate administrative, security testing, and network diagnostic activity.
Likely telemetry
- VPN session logs tying users/devices to assigned IP addresses
- Network flow records showing source, destination, port, protocol, timing, and connection counts
- Firewall, secure web gateway, or network access control logs for mobile-connected traffic
- Mobile device management or enterprise mobility logs identifying Android and iOS device posture and ownership
- DNS logs where service discovery involves hostname lookups
Detection direction
- Validate that mobile-device traffic can be distinguished from other user, server, and scanner traffic, especially when devices use VPN address pools.
- Look for unusual breadth or rate of connections from a mobile-associated source to many internal hosts or ports, while tuning out approved vulnerability scanners, IT diagnostics, and known monitoring tools.
- Correlate network events with VPN authentication and device inventory so alerts identify the user, device, and access path rather than only an IP address.
- Review blind spots around unmanaged mobile devices, split tunneling, local Wi-Fi access, NAT, and incomplete flow logging.
- Because MITRE provides no official detection text for this object, local baselining and environment-specific thresholds are required.
Mitigation priorities
- Ensure VPN, firewall, and network telemetry can attribute mobile-originated traffic to users and devices.
- Limit mobile access to internal services based on least privilege and business need.
- Maintain device posture and enrollment controls for Android and iOS access to enterprise networks.
- Segment sensitive services so mobile network access does not provide broad internal scanning reach.
- Document approved scanning and administrative activity so SOC detections can suppress expected behavior and escalate anomalous activity.
Analyst notes and limits
This take is derived from DET0696 and its relationship to T1423 Network Service Scanning. The strongest defensive value is validating whether mobile access paths are represented in network detection and incident response evidence. The object itself does not specify tactics, platforms, description, or detection logic; Android and iOS are supported through the related T1423 technique context.
Official detection content is not provided for DET0696, and the detection strategy lists no platforms or tactics. Recommendations are therefore limited to conservative validation directions implied by the related T1423 description and require local telemetry, access architecture, and approved scanning context.
Detection of Network Service Scanning
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1423 | Network Service Scanning | This object detects Network Service Scanning. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 142853969c1a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0696Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.