Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0700: Detection of Bidirectional Communication

DET0700 is a mobile ATT&CK detection strategy tied to detecting bidirectional command-and-control behavior where a compromised Android or iOS device may us...

MobileDET0700Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0700 is a mobile ATT&CK detection strategy tied to detecting bidirectional command-and-control behavior where a compromised Android or iOS device may use legitimate external web services to receive commands and send results back. For leaders, the practical issue is not just malware traffic; it is whether mobile security monitoring can distinguish normal app/web-service use from a device covertly using trusted services as a control channel.

Executive priority

Prioritize this as a mobile resilience and incident-readiness question: do security teams have enough mobile network, device, and application telemetry to investigate suspected command-and-control over legitimate web services? Because the official detection strategy has no supplied detection text, executives should avoid assuming coverage exists and instead request evidence of collection, alert logic, triage playbooks, and mobile IR decision paths for Android and iOS environments.

Technical view

SOC and detection teams should validate coverage around the related mobile technique T1481.002, Bidirectional Communication. The relationship indicates the behavior involves compromised mobile systems using legitimate external web service channels for both inbound commands and outbound results. Detection work should therefore focus on observable bidirectional patterns, unusual web-service usage by mobile devices or apps, repeated communication to external services, and context that separates expected user/app behavior from suspicious control-channel behavior. Because ATT&CK does not provide an official detection method for this object, local telemetry quality and baselining are decisive.

Likely telemetry

  • Mobile device network connection metadata where available
  • DNS and web proxy or secure web gateway logs for mobile traffic
  • Mobile device management or enterprise mobility management inventory and compliance signals
  • Mobile threat defense or endpoint security events for Android and iOS where deployed
  • Application identity, package/bundle, and network destination context

Detection direction

  • Confirm whether mobile traffic is visible after encryption, VPN, private relay, split tunneling, or unmanaged network use; these are likely blind spots.
  • Baseline normal external web-service use by managed mobile devices and high-risk apps before alerting on bidirectional patterns.
  • Tune detections to look for suspicious combinations, not a single connection: unusual app-to-service pairing, repetitive polling, abnormal timing, unexpected data exchange, or activity inconsistent with user behavior.
  • Correlate network observations with device posture, app inventory, user identity, and recent security events to reduce false positives from legitimate social, productivity, or cloud-service traffic.
  • Document that DET0700 has no official detection text supplied, so any implemented analytic should be treated as locally derived and validated against the organization’s mobile architecture.

Mitigation priorities

  • Start with visibility: ensure managed Android and iOS devices have appropriate logging, inventory, and network telemetry paths for investigation.
  • Strengthen mobile device management controls, app governance, and compliance checks so suspicious or unmanaged devices can be isolated or investigated quickly.
  • Use access policy and identity context to limit risky mobile access to sensitive services when device posture is unknown or noncompliant.
  • Prepare mobile IR procedures for preserving evidence, reviewing app/network activity, and deciding when to quarantine, wipe, or re-enroll a device.
  • Review compliance evidence for mobile monitoring and response coverage, especially where mobile devices access regulated, executive, operational, or cloud-hosted data.
Analyst notes and limits

This take is based on the detection strategy object DET0700 and its relationship to mobile technique T1481.002, Bidirectional Communication. The strongest decision value is coverage validation: determining whether the organization can observe and investigate mobile devices using legitimate web services as a two-way channel.

The supplied ATT&CK object has no official description, no official detection text, no tactics, and no platforms listed on the detection strategy itself. Android and iOS are supported only through the related technique context. Local environment telemetry, mobile management architecture, and app usage patterns are required before making coverage or risk conclusions.

Official MITRE ATT&CK definition

Detection of Bidirectional Communication

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1481.002 Bidirectional Communication Sub-technique This object detects Bidirectional Communication.
Relationship explorer

All related ATT&CK context

detects · Technique T1481.002: Bidirectional Communication Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e1055abbe57a1e79...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e1055abbe57a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0700
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use