DET0706: Detection of Non-Standard Port
This detection strategy is about finding mobile network activity where the protocol and port do not normally match, such as HTTPS on an unusual port. For l...
Analyst context for executives and security teams
This detection strategy is about finding mobile network activity where the protocol and port do not normally match, such as HTTPS on an unusual port. For leaders, the practical issue is that port-based filtering and simple network dashboards can give a false sense of control if adversary traffic blends into allowed paths or confuses parsing. The value is in validating whether mobile traffic inspection, logging, and SOC workflows can recognize protocol behavior rather than relying only on port numbers.
Executive priority
Prioritize this as a control-validation and visibility question for mobile environments, especially Android and iOS fleets. Security leaders should ask whether network monitoring, mobile security controls, and incident response evidence can show when applications use unexpected protocol/port pairings. This supports resilience, audit evidence, and response decisions by proving whether teams can distinguish legitimate non-standard configurations from traffic intended to bypass filtering or analysis.
Technical view
DET0706 detects the ATT&CK mobile technique T1509, Non-Standard Port. Because the detection strategy object itself has no official detection text, teams should derive validation from the related technique: identify traffic where the observed protocol does not match the expected service port, then triage against approved application behavior and network policy. SOC and detection engineering teams should test whether mobile network telemetry can expose both port and protocol/application-layer characteristics, not just destination IP and port. Incident responders should preserve enough network and device context to determine whether the traffic came from an approved app, a misconfigured service, or suspicious behavior.
Likely telemetry
- Mobile device network connection logs where available
- Network security device logs showing source, destination, port, and protocol
- Proxy, secure web gateway, or VPN logs for mobile traffic
- DNS and destination reputation/context logs
- Application or MDM/UEM inventory context to map traffic to expected mobile apps
Detection direction
- Validate analytics that compare observed protocol behavior with expected port usage, rather than assuming port 443 equals HTTPS or non-443 means non-HTTPS.
- Tune detections with approved business exceptions, such as legitimate applications or services using alternate ports, to reduce false positives.
- Check for blind spots where mobile traffic is encrypted, tunneled, routed outside monitored VPN paths, or only logged as destination IP and port without protocol identification.
- Correlate unusual protocol/port pairings with device identity, user, application inventory, DNS, and recent configuration changes before escalating.
- Use the relationship to T1509 to focus validation on Android and iOS mobile traffic, while noting the detection strategy object does not specify platforms directly.
Mitigation priorities
- Define expected mobile network paths and approved protocol/port combinations for managed applications and services.
- Ensure mobile traffic visibility through appropriate VPN, proxy, gateway, MDM/UEM, or network controls where policy allows.
- Reduce reliance on static port-based allow/block rules by adding protocol-aware inspection or policy enforcement where feasible.
- Document legitimate non-standard port use so SOC teams can distinguish sanctioned exceptions from suspicious deviations.
- Include this behavior in detection validation and incident response evidence checklists for mobile environments.
Analyst notes and limits
The ATT&CK object is a detection strategy with no official description, tactics, platforms, or detection text. Its decision value comes from the relationship to T1509, Non-Standard Port, in the mobile domain, where Android and iOS are listed on the related technique. Treat this as a coverage-assessment item: can the organization identify protocol/port mismatches in mobile traffic and explain whether they are approved?
The supplied ATT&CK fields do not provide a concrete detection analytic, data source list, tactic mapping, or mitigation guidance. Local network architecture, mobile management model, privacy constraints, and available telemetry are required to determine actual detection coverage and response procedures.
Detection of Non-Standard Port
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1509 | Non-Standard Port | This object detects Non-Standard Port. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 52dfe4ceb603… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0706Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.