DC0118: System Settings
System Settings represent user-visible or OS-level configuration settings that influence device behavior, application permissions, connectivity, or system features.
Monitoring system settings changes allows defenders to detect abnormal modifications that may indicate malicious activity or device compromise.
Collection Methods
- MDM device telemetry - Mobile EDR monitoring - OS configuration monitoring
Analyst context for executives and security teams
System Settings is a mobile ATT&CK data component focused on changes to user-visible or OS-level configuration that affect device behavior, application permissions, connectivity, or system features. For leaders, its value is not a single alert: it is evidence that mobile devices are being configured in ways that could weaken security, change access, or indicate compromise. Because ATT&CK provides no specific detection logic here, organizations should treat this as a telemetry and governance question: do we know when important mobile settings change, who or what changed them, and whether the change is expected?
Executive priority
Prioritize this where mobile devices support privileged access, regulated data handling, field operations, or executive communications. The business decision is whether MDM, mobile EDR, and OS configuration monitoring can provide auditable evidence of risky configuration drift and support incident response when a device behaves unexpectedly. This data component can help security leaders validate mobile control coverage, compliance evidence, and operational resilience, but local policy must define which setting changes are material.
Technical view
SOC, detection engineering, and IR teams should validate collection of mobile system setting changes through the collection methods named by ATT&CK: MDM device telemetry, mobile EDR monitoring, and OS configuration monitoring. Since no ATT&CK detection is provided and no tactics or relationships are supplied, detection content should be built around locally defined high-risk settings, unexpected permission or connectivity changes, changes outside approved management workflows, and correlation with device posture or other mobile alerts.
Likely telemetry
- MDM device telemetry showing configuration state and configuration changes
- Mobile EDR monitoring events related to device behavior or configuration changes
- OS configuration monitoring records for user-visible or OS-level settings
- Device identity, user identity, enrollment, and management status associated with setting changes
- Timestamps and change context sufficient to distinguish managed policy updates from user or abnormal changes
Detection direction
- Establish a baseline of expected mobile system settings for managed device groups and roles.
- Alert or review changes to settings that influence application permissions, connectivity, device behavior, or system features when they fall outside approved policy.
- Correlate setting changes with MDM compliance status, mobile EDR events, and recent device/user activity to reduce false positives.
- Tune out expected changes from sanctioned MDM policy deployments, OS updates, and authorized user workflows.
- Document blind spots where unmanaged devices, incomplete MDM enrollment, limited mobile EDR coverage, or OS telemetry restrictions prevent reliable visibility.
Mitigation priorities
- Define which mobile system settings are security-relevant for the organization and map them to approved baselines.
- Use MDM policy where available to enforce or monitor required configuration states.
- Ensure mobile EDR and OS configuration monitoring are deployed consistently for in-scope devices.
- Create incident response playbooks for investigating unexpected setting changes, including validation of device ownership, enrollment state, and recent management actions.
- Maintain audit evidence showing configuration baselines, exceptions, and review outcomes for compliance readiness.
Analyst notes and limits
This object is a data component, not a technique. Its defensive value depends on whether the organization can collect and interpret mobile configuration-change evidence. The absence of supplied relationships means no specific adversary behavior, tactic, or technique context should be inferred from this object alone.
ATT&CK does not provide official detection logic, tactics, platforms, or relationship context for this object in the supplied fields. Any severity model, setting list, or detection rule must be derived from local mobile policy, device management architecture, and available telemetry.
System Settings
System Settings represent user-visible or OS-level configuration settings that influence device behavior, application permissions, connectivity, or system features.
Monitoring system settings changes allows defenders to detect abnormal modifications that may indicate malicious activity or device compromise.
Collection Methods
- MDM device telemetry - Mobile EDR monitoring - OS configuration monitoring
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 3605a32108e2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0118Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.