Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0638: Detection of File Deletion

DET0638 is a mobile ATT&CK detection strategy for detecting file deletion associated with the Android File Deletion technique T1630.002. The business issue...

MobileDET0638Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0638 is a mobile ATT&CK detection strategy for detecting file deletion associated with the Android File Deletion technique T1630.002. The business issue is not just that files are removed; deletion can disrupt operations, destroy evidence needed for incident response or compliance, and hide prior activity. Because MITRE provides no official detection text for this strategy, organizations should treat it as a coverage validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this where Android devices store business records, regulated data, operational workflows, or incident evidence. Leaders should ask whether mobile device management, mobile threat defense, backup, and incident response processes can prove when files were deleted, by which app or administrative action where available, and whether device wipe or selective deletion would be noticed quickly enough to support containment, legal hold, and recovery decisions.

Technical view

The supplied relationship ties this detection strategy to T1630.002 File Deletion in the mobile domain, with Android as the related platform. SOC and IR teams should validate whether they can observe individual file deletion, suspicious bulk deletion, and administrative wipe-related activity on managed Android devices. Because the ATT&CK object has no platform field, tactic field, description, or official detection logic, detection engineering should be based on local Android management capabilities and the specific data locations that matter to the organization.

Likely telemetry

  • Mobile device management or enterprise mobility management events, especially device wipe or administrator-level actions
  • Mobile threat defense or endpoint telemetry from Android devices, where deployed
  • Application logs for business apps that create, modify, sync, or delete files
  • Cloud or enterprise file sync logs showing mobile-originated delete activity
  • Backup, restore, or retention system records showing missing or deleted mobile-originated data

Detection direction

  • Validate visibility for both full device wipe behavior and individual file deletion, since the related technique notes that a full wipe requires administrator access while some individual file deletion may not require special permissions depending on storage location.
  • Tune for context: deletion by an expected business app or user action may be normal, while unusual volume, unusual timing, deletion of high-value data, or deletion near other suspicious mobile events should raise priority.
  • Correlate mobile deletion evidence with identity, device compliance state, app inventory, and cloud sync activity to distinguish local deletion from synchronized enterprise data loss.
  • Confirm whether unmanaged Android devices, personally owned devices, encrypted app containers, or apps without central logging create blind spots.
  • Use this as a test case for IR readiness: determine whether responders can preserve evidence after suspected deletion and whether backups or retention can support recovery and compliance inquiries.

Mitigation priorities

  • Define which Android devices and business apps require managed logging, retention, and recovery because they handle important data.
  • Ensure administrative wipe capabilities are governed, approved, and auditable through mobile management processes.
  • Use least-privilege and app governance to reduce unnecessary access to sensitive files where mobile controls allow it.
  • Maintain backup, retention, and synchronization controls for mobile-accessed business data so deletion does not automatically become unrecoverable loss.
  • Document evidence sources and retention periods needed for incident response, legal hold, and audit support.
Analyst notes and limits

This take is based on the official DET0638 metadata and its relationship to T1630.002 File Deletion. The related technique description supports Android context, device wipe requiring administrator access, and individual file deletion depending on storage location. MITRE does not provide official detection logic for this detection strategy, so local telemetry validation is essential.

The object has no official description, no official detection field, no tactics, and no platforms specified on the detection strategy itself. Recommendations are therefore framed as validation directions derived from the supplied relationship context, not as confirmed ATT&CK detection coverage or vendor-specific implementation guidance.

Official MITRE ATT&CK definition

Detection of File Deletion

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1630.002 File Deletion Sub-technique This object detects File Deletion.
Relationship explorer

All related ATT&CK context

detects · Technique T1630.002: File Deletion Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
36f1419fecafe4b2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 36f1419fecaf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0638
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use