AN1820: Analytic 1820

Defender observes anomalous access to remote device management or enterprise mobility management control planes followed by device-state queries, location requests, or management actions inconsistent with user role, historical behavior, or device ownership context.

MobileAN1820AnalyticObject v1.1 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

This analytic matters because mobile device management consoles can become high-leverage control points for Android fleets. The behavior described is not simply a suspicious login; it is anomalous access to remote device management or enterprise mobility management control planes followed by device queries, location requests, or management actions that do not fit the user’s role, past behavior, or device ownership context.

Executive priority

Security leaders should treat this as a control-plane monitoring priority for managed Android environments. The business question is whether the organization can prove who accessed mobility management tools, what device actions they performed, and whether those actions were appropriate for the user’s role and assigned devices. This supports incident response decisions, identity governance, privacy oversight around location access, and audit evidence for privileged administrative activity.

Technical view

For SOC, detection engineering, and IR teams, validation should focus on Android enterprise mobility management or remote device management administrative activity. Since ATT&CK provides no detection logic, teams should build coverage around sequences: anomalous control-plane access followed by device-state queries, location requests, or management actions. Baselines should consider user role, historical admin behavior, managed-device ownership context, and expected support workflows. Tactics are not specified, and no relationship context is supplied, so local environment modeling is required.

Likely telemetry

Remote device management or enterprise mobility management control-plane authentication logs
Administrative audit logs for device-state queries
Administrative audit logs for location requests
Administrative audit logs for management actions against Android devices
Identity and access management context for user role and privilege level

Detection direction

Confirm that EMM/RDM administrative activity is centrally logged and retained, not only device-side events.
Correlate control-plane access with subsequent device queries, location requests, and management actions rather than alerting only on login events.
Tune analytics against role, historical behavior, and device ownership context to reduce false positives from help desk, mobility operations, and approved administrative workflows.
Review whether location requests receive higher scrutiny because they may carry privacy, compliance, and employee-trust implications.
Identify blind spots where third-party management consoles, delegated admin roles, or API-based actions are not included in SIEM or detection pipelines.

Mitigation priorities

Maintain least-privilege administrative roles for remote device management and enterprise mobility management platforms.
Require strong identity controls for management-console access, especially for privileged or delegated administrators.
Regularly review device ownership mappings and administrator role assignments so behavioral checks have reliable context.
Ensure management actions, device-state queries, and location requests are auditable and retained for investigation and compliance evidence.
Define incident response procedures for suspicious mobile management activity, including validation of affected Android devices and review of administrative actions.

Analyst notes and limits

This object is a mobile ATT&CK detection analytic for Android environments. Its value is in highlighting suspicious use of EMM/RDM control planes where administrative access is followed by device-state, location, or management activity that does not match role or ownership expectations. No ATT&CK relationships, tactics, aliases, or official detection logic were supplied.

Assessment is limited to the supplied ATT&CK fields and external reference. There is no provided detection code, no tactic mapping, and no relationship context. Actual detection feasibility depends on the organization’s EMM/RDM platform logging, identity context, device ownership data quality, and SIEM correlation capability.

Official MITRE ATT&CK definition

Analytic 1820

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: d51c44a33235a550...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`d51c44a33235…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1820
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use