DET0698: Detection of Exfiltration Over Alternative Protocol
DET0698 is a mobile ATT&CK detection strategy for finding data theft when an adversary sends stolen data over a protocol or destination different from the...
Analyst context for executives and security teams
DET0698 is a mobile ATT&CK detection strategy for finding data theft when an adversary sends stolen data over a protocol or destination different from the main command-and-control path. For leaders, the practical issue is coverage: mobile exfiltration may appear as ordinary DNS, HTTPS, email, file transfer, SMB, or cloud-storage traffic unless teams can correlate mobile network activity, destination changes, and abnormal data movement.
Executive priority
Prioritize this as a validation question for mobile, cloud, and SOC readiness: can the organization prove it would notice sensitive mobile data leaving through alternate protocols or web services? This matters for incident triage, compliance evidence, and resilience because a response team may miss exfiltration if it only monitors known command-and-control channels or traditional endpoints.
Technical view
This detection strategy detects ATT&CK mobile technique T1639, Exfiltration Over Alternative Protocol, which is associated with Android and iOS. SOC and detection teams should validate whether they can observe outbound mobile traffic by protocol, destination, volume, timing, and application context, especially where data is sent to a network location different from the main command-and-control server. Because MITRE provides no official detection text for this object, implementation should be based on local telemetry and the related technique description.
Likely telemetry
- Mobile network traffic metadata from secure web gateways, proxies, firewalls, VPNs, or carrier/Wi-Fi egress points
- DNS query and response logs for mobile devices or managed mobile apps
- HTTP/S connection metadata, including destination, volume, frequency, and user/app context where available
- Logs for FTP, SMTP, SMB, or other nonstandard outbound protocols where mobile traffic can reach them
- Cloud storage or web service access logs relevant to mobile users and applications
Detection direction
- Validate visibility into alternate outbound protocols, not only known command-and-control indicators.
- Correlate mobile device or app identity with unusual destinations, uncommon protocols, abnormal upload volume, or new cloud/web service usage.
- Tune detections against legitimate mobile behavior such as cloud sync, backups, email attachments, software updates, and approved collaboration tools.
- Pay attention to encrypted traffic blind spots: metadata, destination reputation, SNI/host information where available, and volume patterns may be more realistic than payload inspection.
- Use the relationship to T1639 to frame hunting around Android and iOS environments, while noting that the detection strategy itself does not specify platforms.
Mitigation priorities
- Establish mobile egress visibility before relying on detections; confirm where managed Android and iOS traffic is actually logged.
- Restrict unnecessary outbound protocols from mobile networks and managed devices where business requirements allow.
- Apply mobile device/app management controls to limit unapproved apps, risky network paths, and unauthorized data sharing.
- Strengthen cloud and web-service governance for mobile access, including approved storage services and audit logging.
- Use data loss prevention and access controls where sensitive mobile-accessible data could be uploaded externally.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. The strongest source context is its relationship to T1639, which describes exfiltration over protocols such as FTP, SMTP, HTTP/S, DNS, SMB, or web services such as cloud storage, and identifies Android and iOS for the related technique.
This take does not assert active exploitation, attribution, or existing detection coverage. Local architecture determines feasibility: unmanaged devices, encrypted traffic, limited mobile logging, and cloud-service visibility gaps may materially reduce detection quality.
Detection of Exfiltration Over Alternative Protocol
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1639 | Exfiltration Over Alternative Protocol | This object detects Exfiltration Over Alternative Protocol. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5a75db0f8ec7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0698Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.