Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0701: Detection of Exfiltration Over Unencrypted Non-C2 Protocol

DET0701 is a mobile ATT&CK detection strategy for identifying data exfiltration sent over unencrypted, non-command-and-control protocols. The business sign...

MobileDET0701Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0701 is a mobile ATT&CK detection strategy for identifying data exfiltration sent over unencrypted, non-command-and-control protocols. The business significance is that stolen mobile data may leave through ordinary-looking protocols such as HTTP, FTP, or DNS, potentially outside the primary C2 channel defenders are already watching. For leaders, the key question is whether mobile network visibility is sufficient to distinguish legitimate app traffic from unusual outbound data movement.

Executive priority

Prioritize this as a validation point for mobile security monitoring, incident response readiness, and compliance evidence around sensitive data handling. Because the supplied ATT&CK object has no official detection text or platform list of its own, executives should treat it as a coverage question rather than an assured detection capability: can the organization prove it monitors Android and iOS exfiltration paths associated with the related technique T1639.001, especially unencrypted outbound protocols and alternate destinations?

Technical view

SOC and detection teams should validate coverage against the related mobile technique, Exfiltration Over Unencrypted Non-C2 Protocol, which applies to Android and iOS. Focus analysis on outbound mobile traffic using natively unencrypted protocols such as HTTP, FTP, or DNS, especially where data is sent to destinations that differ from known application or management infrastructure. Because the official detection strategy does not provide detection logic, teams should derive local analytics from network metadata, mobile telemetry, and known-good baselines rather than assuming a MITRE-provided rule exists.

Likely telemetry

  • Mobile network traffic metadata for Android and iOS devices
  • DNS query logs and resolver telemetry
  • HTTP request metadata where available
  • FTP session or connection logs where applicable
  • Mobile device management or mobile threat defense inventory and device context

Detection direction

  • Confirm whether mobile egress visibility includes unencrypted protocols and not only encrypted web or known C2 indicators.
  • Baseline normal app and device communication patterns so unusual destinations, volumes, or protocol use can be reviewed with context.
  • Look for outbound transfers over HTTP, FTP, or DNS that are inconsistent with expected mobile application behavior, while accounting for legitimate app telemetry and content delivery patterns.
  • Correlate network observations with device identity, user, application inventory, and management status to reduce false positives.
  • Treat alternate network destinations as important context because the related technique notes data may be sent somewhere other than the main command-and-control server.

Mitigation priorities

  • Establish mobile asset and ownership visibility first, so Android and iOS network events can be tied to real users, devices, and applications.
  • Route managed mobile traffic through monitored egress paths where policy permits, including DNS and web inspection metadata collection.
  • Restrict or alert on unnecessary unencrypted protocols from managed mobile devices based on business need.
  • Use mobile device management or equivalent controls to enforce approved application and network configurations.
  • Maintain incident response playbooks for suspected mobile data exfiltration, including preservation of device, network, and identity context.
Analyst notes and limits

This take is based on the DET0701 detection strategy and its relationship to T1639.001. The detection strategy itself has no official description, detection text, tactics, or platform list supplied. The related technique provides the practical context: mobile adversaries may exfiltrate data over unencrypted non-C2 protocols, including HTTP, FTP, or DNS, and may use alternate destinations or non-encryption obfuscation/compression.

Coverage and detection quality cannot be inferred from the ATT&CK object alone. Local architecture determines whether mobile DNS, HTTP, FTP, proxy, firewall, VPN, and device telemetry are available. No claim is made that this behavior is currently active, attributed to any actor, or detectable by default.

Official MITRE ATT&CK definition

Detection of Exfiltration Over Unencrypted Non-C2 Protocol

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1639.001 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique This object detects Exfiltration Over Unencrypted Non-C2 Protocol.
Relationship explorer

All related ATT&CK context

detects · Technique T1639.001: Exfiltration Over Unencrypted Non-C2 Protocol Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
20256aaa13e150fa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 20256aaa13e1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0701
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use