DET0604: Detection of Compromise Hardware Supply Chain
DET0604 is a detection strategy record for identifying compromise of the mobile hardware supply chain, mapped to T1474.002. The business issue is that hard...
Analyst context for executives and security teams
DET0604 is a detection strategy record for identifying compromise of the mobile hardware supply chain, mapped to T1474.002. The business issue is that hardware or firmware tampering can occur before an Android or iOS device reaches the organization, making normal endpoint-focused assumptions less reliable. Leaders should treat this as a supply chain assurance and mobile fleet trust problem, not only a SOC alerting problem.
Executive priority
Prioritize this where mobile devices are used for privileged access, regulated data, executive communications, field operations, or operational workflows. The key decision is whether the organization can prove device provenance, integrity checks, enrollment controls, and incident escalation paths before suspect hardware becomes trusted infrastructure. This also supports audit and risk discussions around supplier governance and mobile asset acceptance.
Technical view
The ATT&CK object provides no official detection text, platforms, or tactics, but it detects T1474.002, which applies to Android and iOS. SOC, IR, mobile security, and asset teams should validate whether they can correlate device procurement and intake records with MDM/EMM enrollment, hardware identifiers, firmware/OS build information, device attestation or integrity status, and early network behavior from newly received devices. Detection engineering should focus on anomalies at onboarding and lifecycle transitions rather than relying only on post-compromise behavioral alerts.
Likely telemetry
- Mobile device inventory and asset intake records
- Supplier, procurement, and chain-of-custody records for mobile hardware
- MDM/EMM enrollment, compliance, and configuration history
- Hardware identifiers, model information, firmware/OS build/version data
- Device integrity or attestation results where available
Detection direction
- Validate that mobile onboarding links a physical device to an approved purchase, expected model, expected identifiers, and authorized user or business unit.
- Tune for mismatches between procurement records, MDM/EMM inventory, device identifiers, firmware/OS versions, or compliance state.
- Review newly received or recently enrolled devices for unusual network destinations or behavior before they receive broad access.
- Account for false positives from legitimate refurbishment, repair, replacement, regional model variation, or normal firmware updates.
- Do not assume standard endpoint telemetry will expose hardware or firmware manipulation; identify where device attestation, supplier evidence, or manual inspection is required.
Mitigation priorities
- Establish supplier and procurement controls for mobile hardware sources before devices are accepted into inventory.
- Require controlled intake, asset registration, and MDM/EMM enrollment before business use.
- Use device integrity, attestation, firmware/OS validation, and compliance checks where supported by the mobile platform and management stack.
- Limit initial access for newly received or reintroduced devices until provenance and compliance checks are complete.
- Define IR playbooks for suspect mobile hardware, including quarantine, evidence preservation, replacement, and supplier escalation.
Analyst notes and limits
This detection strategy is sparse in the supplied ATT&CK fields: there is no official description or detection guidance for DET0604 itself. The strongest usable context is the relationship to T1474.002, which describes adversary manipulation of hardware or firmware in the supply chain before receipt by the final consumer, with relevance to Android and iOS.
Coverage cannot be assessed from this ATT&CK object alone. Organizations need local evidence from procurement, asset management, mobile management, attestation capability, network monitoring, and IR procedures. The object does not provide tactics, detailed analytics, data sources, mitigations, or detection logic.
Detection of Compromise Hardware Supply Chain
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1474.002 | Compromise Hardware Supply Chain Sub-technique | This object detects Compromise Hardware Supply Chain. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fc7e6d6a7c25… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0604Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.