DET0629: Detection of Exploitation for Client Execution
DET0629 is a mobile ATT&CK detection strategy tied to exploitation of client applications for code execution. For leaders, the practical issue is not a sin...
Analyst context for executives and security teams
DET0629 is a mobile ATT&CK detection strategy tied to exploitation of client applications for code execution. For leaders, the practical issue is not a single alert rule; it is whether the organization can recognize when a mobile app or mobile OS client-side vulnerability is being abused before it becomes an incident affecting data access, user trust, or operational continuity.
Executive priority
Prioritize this as a readiness question for mobile risk management: do security, mobile, identity, and incident response teams have evidence that vulnerable or exploited Android and iOS client applications can be identified, investigated, and contained? Because the official object does not provide detection logic, executives should use it to drive control validation, mobile telemetry coverage review, vulnerability prioritization, and incident decision-making playbooks rather than assume existing SOC coverage is sufficient.
Technical view
This detection strategy detects ATT&CK technique T1658, Exploitation for Client Execution, in the mobile domain. SOC and IR teams should validate visibility around Android and iOS client applications, especially indicators of abnormal application behavior, crash or exploit-related artifacts, suspicious child activity where available, unexpected permissions or runtime behavior, and post-exploitation activity following use of a vulnerable client app. Since no official detection text is supplied, detection engineering should be based on local mobile telemetry, mobile device management data, application inventory, vulnerability exposure, and incident response evidence.
Likely telemetry
- Mobile device management or enterprise mobility management inventory and compliance data
- Android and iOS application inventory and version information
- Mobile OS security, crash, diagnostic, or integrity signals where available
- Mobile threat defense or endpoint security alerts, if deployed
- Vulnerability and patch status for mobile operating systems and client applications
Detection direction
- Confirm whether the SOC can correlate mobile app/version exposure with suspicious mobile behavior and identity activity.
- Validate coverage separately for Android and iOS because available telemetry and investigation depth differ by platform and management model.
- Tune detections to avoid treating every app crash or outdated application as exploitation; prioritize combinations of vulnerable app exposure, anomalous behavior, security alerts, and follow-on account or network activity.
- Review blind spots for unmanaged devices, personal devices, privacy-restricted telemetry, and mobile apps outside enterprise inventory.
- Use the relationship to T1658 to focus detection on client-side exploitation leading to code execution, not generic mobile malware or routine vulnerability scanning.
Mitigation priorities
- Maintain accurate inventory of mobile devices, operating systems, and installed client applications.
- Prioritize timely patching or removal of vulnerable mobile OS versions and client applications.
- Enforce mobile management and compliance controls for devices accessing business data.
- Limit mobile access to sensitive resources based on device health, app posture, and identity risk where supported.
- Prepare IR procedures for isolating affected mobile devices, preserving relevant evidence, rotating credentials, and reviewing mobile-linked account activity.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, platforms, tactics, or detection text. The main usable context is its relationship to T1658, Exploitation for Client Execution, which is a mobile technique associated with Android and iOS. Treat this Glexia take as a defensive validation guide, not as a completed analytic rule.
No official detection logic, data sources, analytics, mitigations, or procedure examples were supplied. Local mobile management architecture, privacy constraints, device ownership model, logging availability, and app inventory determine what can actually be detected.
Detection of Exploitation for Client Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1658 | Exploitation for Client Execution | This object detects Exploitation for Client Execution. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2023958ff972… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0629Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.