Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0718: Detection of Ingress Tool Transfer

DET0718 is a mobile ATT&CK detection strategy for identifying Ingress Tool Transfer: situations where an adversary moves tools or files onto a compromised...

MobileDET0718Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0718 is a mobile ATT&CK detection strategy for identifying Ingress Tool Transfer: situations where an adversary moves tools or files onto a compromised mobile device to enable follow-on activity. For leaders, the value is not simply spotting a file download; it is confirming whether mobile security monitoring can distinguish expected app or user file movement from suspicious transfer of utilities, payloads, or other files that may expand an incident.

Executive priority

Treat this as a readiness check for mobile incident response and monitoring coverage. If Android or iOS devices are in scope for business operations, executives should ask whether the organization can collect enough mobile, network, and device-management evidence to investigate suspicious file transfer onto devices. The priority is strongest where mobile devices access sensitive data, privileged workflows, or regulated systems, because poor visibility can delay containment and weaken audit evidence during an incident.

Technical view

The supplied ATT&CK object has no official description, detection text, tactics, or platforms of its own, but it detects mobile technique T1544, Ingress Tool Transfer, which is associated with Android and iOS. SOC and IR teams should validate whether their mobile telemetry can show externally sourced file transfers, command-and-control-channel-delivered files, or alternate protocol transfers such as FTP when observable. Detection engineering should focus on correlating mobile device activity, network connections, file creation or download events where available, and mobile device management/security alerts rather than relying on a single event type.

Likely telemetry

  • Mobile device management or mobile endpoint security events for Android and iOS devices
  • Network telemetry showing mobile device connections to external systems
  • Proxy, DNS, firewall, or secure web gateway logs associated with mobile device traffic
  • File download, file creation, or application storage events where mobile tooling provides them
  • Alerts or logs indicating use of alternate transfer protocols such as FTP where monitored

Detection direction

  • Validate that monitored Android and iOS devices can be tied to user, device, and network identity so suspicious transfers can be investigated quickly.
  • Look for unusual externally sourced files or tools appearing on a device, especially when correlated with suspicious network sessions or other mobile compromise indicators.
  • Tune out common legitimate mobile behavior such as normal app updates, enterprise app deployment, user document downloads, and approved file-sharing activity.
  • Assess blind spots where mobile operating system restrictions, BYOD scope, privacy settings, or lack of mobile endpoint telemetry prevent file-level visibility.
  • Because ATT&CK provides no official detection logic for this object, document local analytic assumptions and test them against representative benign mobile transfer activity.

Mitigation priorities

  • Start with visibility: confirm which Android and iOS populations are managed, monitored, and in scope for investigation.
  • Enforce mobile device management and approved application controls where applicable to reduce unmanaged file transfer paths.
  • Use network security controls and logging to monitor or restrict unnecessary external transfer protocols and destinations for mobile devices.
  • Prepare mobile IR procedures for triage, evidence preservation, and containment when suspicious file transfer is suspected.
  • Maintain compliance evidence showing mobile telemetry coverage, device ownership scope, and investigation procedures for regulated or sensitive mobile use cases.
Analyst notes and limits

This take is based on DET0718 and its relationship to T1544, Ingress Tool Transfer. The relationship context is the main source of technical substance: adversaries may transfer tools or files from an external system onto a compromised mobile device through command and control or alternate protocols such as FTP. Local mobile architecture, device ownership model, and logging capabilities will determine practical detection value.

The ATT&CK detection strategy object does not provide an official description, official detection text, tactics, or platforms. Platforms are inferred only from the related T1544 technique context, which lists Android and iOS. No claims are made about active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of Ingress Tool Transfer

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1544 Ingress Tool Transfer This object detects Ingress Tool Transfer.
Relationship explorer

All related ATT&CK context

detects · Technique T1544: Ingress Tool Transfer Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d3d01d4b2efae437...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d3d01d4b2efa…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0718
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use