Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0708: Detection of Internet Connection Discovery

DET0708 is a mobile ATT&CK detection strategy for spotting Internet Connection Discovery, where an adversary checks whether a compromised Android or iOS de...

MobileDET0708Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0708 is a mobile ATT&CK detection strategy for spotting Internet Connection Discovery, where an adversary checks whether a compromised Android or iOS device can reach the Internet before attempting further communications. For leaders, the value is not the connectivity check by itself; it is whether mobile security monitoring can distinguish normal app/network behavior from suspicious pre-command-and-control readiness checks.

Executive priority

Treat this as a mobile visibility and incident-readiness question. If mobile devices are in scope for business operations, identity access, regulated data, or executive communications, confirm whether the organization has evidence to investigate suspicious connectivity discovery on Android and iOS. Because the ATT&CK object provides no official detection logic, priority should go to validating telemetry coverage, mobile incident response procedures, and whether mobile events can be correlated with identity, network, and endpoint evidence during an investigation.

Technical view

This detection strategy is linked to ATT&CK technique T1422.001, Internet Connection Discovery, in the mobile domain. SOC and detection teams should validate whether they can observe mobile device network-state checks, command or diagnostic activity where available, and subsequent outbound connection attempts. The related technique notes Android and iOS, and gives Android examples such as use of adb shell netstat, so validation should be platform-specific and based on what the organization can lawfully and technically collect from managed mobile devices.

Likely telemetry

  • Mobile device management or enterprise mobility management security events
  • Mobile endpoint or mobile threat defense alerts where deployed
  • Android diagnostic, shell, or ADB-related activity where available
  • iOS device security and network-related management telemetry where available
  • Network connection metadata from mobile devices, VPNs, secure web gateways, DNS, or proxy infrastructure

Detection direction

  • Validate that mobile telemetry exists before writing analytic assumptions; the ATT&CK object does not provide official detection logic or platforms of its own.
  • Look for suspicious connectivity checks in context, especially when followed by outbound communications to unusual infrastructure or other mobile discovery behavior.
  • Tune carefully because Internet reachability checks are common in legitimate mobile apps, operating systems, VPN clients, device management agents, and captive portal workflows.
  • Correlate mobile network evidence with device ownership, management state, user identity, app inventory, and recent security alerts to reduce false positives.
  • For Android, assess whether ADB or shell-oriented evidence is available in managed-device or forensic workflows; do not assume this telemetry exists in routine SOC pipelines.

Mitigation priorities

  • Prioritize managed mobile device enrollment and policy coverage for devices that access business systems.
  • Ensure mobile security telemetry can be retained, searched, and correlated with identity and network logs during investigations.
  • Restrict or monitor risky administrative/debug capabilities such as ADB where applicable to managed Android environments.
  • Use mobile application governance, network controls, and secure access policies to limit unmanaged or untrusted device access to sensitive services.
  • Document mobile detection and response evidence for compliance and incident readiness, especially where mobile devices support regulated or mission-critical workflows.
Analyst notes and limits

The supplied ATT&CK detection strategy is sparse: it has no official description, no official detection text, no tactics, and no directly specified platforms. The practical guidance above is derived from its relationship to T1422.001 Internet Connection Discovery in the mobile domain, whose related platforms are Android and iOS.

This take should not be read as a ready-to-deploy analytic. Local mobile management architecture, privacy constraints, device ownership model, logging availability, and network routing determine what can actually be detected. No active exploitation, attribution, impact, or guaranteed coverage is stated by the supplied ATT&CK fields.

Official MITRE ATT&CK definition

Detection of Internet Connection Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1422.001 Internet Connection Discovery Sub-technique This object detects Internet Connection Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1422.001: Internet Connection Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4162e5247f0e03f7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4162e5247f0e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0708
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use