DET0605: Detection of Account Access Removal
DET0605 is a mobile ATT&CK detection strategy for identifying account access removal behavior related to Android environments. The business concern is avai...
Analyst context for executives and security teams
DET0605 is a mobile ATT&CK detection strategy for identifying account access removal behavior related to Android environments. The business concern is availability: if legitimate users are locked out, deleted, or have credentials manipulated, operational teams may lose access to mobile-dependent services, workflows, or communications during an incident.
Executive priority
Treat this as an availability and incident-readiness control question rather than only a mobile security alert. Leaders should ask whether the organization can prove who changed, locked, deleted, or reset mobile-related accounts; how quickly SOC or IT teams would notice legitimate-user lockout; and whether recovery processes are documented and auditable. This matters for business continuity, identity governance, incident response escalation, and compliance evidence around account administration.
Technical view
The supplied ATT&CK object has no official detection text and no platform on the detection strategy itself, but its relationship detects T1640 Account Access Removal in the mobile domain, with Android listed on the related technique. SOC and detection engineering teams should validate monitoring around account state changes that can remove legitimate access, including deletions, lockouts, credential changes, and administrative manipulation. IR teams should ensure alerts can be correlated with identity administration activity, help desk tickets, device/user context, and recovery actions so that malicious disruption can be separated from routine account lifecycle operations.
Likely telemetry
- Identity and account administration audit logs showing account deletion, lockout, disablement, or credential reset events
- Mobile device management or enterprise mobility management records for Android-associated users and devices, where present
- Authentication logs showing sudden access failures after account state changes
- Help desk, IAM workflow, or change-management records for approved account lifecycle actions
- Administrative activity logs identifying the actor, time, target account, and source of the change
Detection direction
- Validate that account access removal events are logged with enough detail to identify the administrator or process, target account, timestamp, and change type.
- Tune detections around unusual or unauthorized account deletion, lockout, or credential-change activity, especially when not linked to expected IAM, HR, or help desk workflows.
- Correlate account state changes with authentication failures and user reports to distinguish operational mistakes from intentional availability disruption.
- Account for false positives from normal onboarding/offboarding, password resets, device replacement, policy enforcement, and automated identity lifecycle jobs.
- Because ATT&CK provides no official detection logic for DET0605, local baselining and environment-specific identity workflows are required.
Mitigation priorities
- Prioritize strong governance over who can delete, lock, disable, or reset accounts tied to mobile access.
- Require auditable approval paths for high-impact account lifecycle actions and retain evidence for investigations and compliance reviews.
- Ensure rapid recovery procedures exist for legitimate users whose access is removed incorrectly or maliciously.
- Review privileged access and administrative role assignments for mobile and identity administration functions.
- Test incident response playbooks for user lockout or account manipulation scenarios affecting Android-related access.
Analyst notes and limits
The strongest relationship-driven context is that DET0605 detects T1640 Account Access Removal in the mobile ATT&CK domain, and the related technique lists Android as a platform. Since the detection strategy itself does not provide official description, detection logic, tactics, or platforms, this take focuses on defensive validation questions and telemetry classes rather than specific analytics.
Official DET0605 description and detection fields were not provided, and the detection strategy lists no platforms or tactics. Any implementation must be based on the organization’s actual identity, mobile management, logging, and account administration architecture.
Detection of Account Access Removal
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1640 | Account Access Removal | This object detects Account Access Removal. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | df8ae7d774da… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0605Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.