Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0645: Detection of Lockscreen Bypass

DET0645 is a mobile detection strategy for identifying possible lockscreen bypass behavior. The business issue is not malware alone: if someone with physic...

MobileDET0645Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0645 is a mobile detection strategy for identifying possible lockscreen bypass behavior. The business issue is not malware alone: if someone with physical access can unlock a mobile device without the legitimate user’s normal authentication, they may gain access to corporate apps, email, tokens, messages, and locally cached data. Because the ATT&CK object has no official detection text, this should be treated as a coverage-planning item rather than a ready-made analytic.

Executive priority

Prioritize this where mobile devices provide access to sensitive business systems, executive communications, regulated data, or operational workflows. Leaders should ask whether mobile lock policies, biometric/passcode requirements, lost-device response, and mobile incident handling are documented, tested, and auditable for Android and iOS devices. This also matters for compliance evidence: the organization should be able to show how it enforces device lock requirements and responds when physical access or unlock integrity is in question.

Technical view

This detection strategy detects the mobile ATT&CK technique T1461, Lockscreen Bypass, which applies to Android and iOS. SOC, IR, and mobile security teams should validate whether they can observe device state changes and suspicious authentication or unlock-related events through MDM/UEM, mobile OS management telemetry, identity logs for mobile app access after unlock, and incident reports involving physical device access. Because ATT&CK provides no detection logic for DET0645, teams should build environment-specific hypotheses around abnormal unlock patterns, biometric/passcode policy exceptions, device restart/passcode enforcement behavior, lost or seized device timelines, and access to corporate resources shortly after questionable physical access.

Likely telemetry

  • MDM/UEM device compliance and lock policy status for Android and iOS
  • Mobile device inventory, ownership, lost/stolen status, and last check-in records
  • Authentication and session logs for corporate mobile apps accessed from managed devices
  • Identity provider logs showing mobile device access after unusual device state or physical custody events
  • Mobile OS or management events related to passcode, biometric, restart, unlock, and policy enforcement where available

Detection direction

  • Confirm which Android and iOS unlock, passcode, biometric, restart, and compliance events are actually available from the organization’s MDM/UEM and identity tooling.
  • Treat DET0645 as a detection coverage objective, not a MITRE-supplied analytic; no official ATT&CK detection logic is provided for this object.
  • Correlate mobile access to sensitive services with device custody events, lost-device reports, compliance changes, and abnormal unlock-related indicators where telemetry exists.
  • Tune carefully for false positives: legitimate user unlocks, biometric failures, device restarts, OS updates, and help desk recovery actions may resemble suspicious activity without custody or identity context.
  • Validate visibility gaps for unmanaged devices, personally owned devices, devices not checking in, or platforms where unlock telemetry is limited.

Mitigation priorities

  • Enforce mobile passcode and lockscreen requirements through MDM/UEM for managed Android and iOS devices.
  • Require rapid reporting and response for lost, stolen, or physically accessed devices, including session revocation and device lock or wipe decisions where policy permits.
  • Review biometric use policies and ensure passcode fallback requirements align with organizational risk, especially for high-risk users and sensitive roles.
  • Limit mobile access to sensitive systems based on device compliance and managed-device posture.
  • Maintain incident response playbooks for suspected mobile physical access events, including evidence preservation, identity session review, and business impact assessment.
Analyst notes and limits

The supplied ATT&CK detection strategy is sparse: it has a name, external reference, and relationship showing it detects T1461 Lockscreen Bypass. The related technique description supports physical-access mobile risk and notes Android and iOS. Local device management capabilities will determine whether meaningful detection is possible.

No official description, detection text, tactics, or platforms are specified directly on DET0645. Platform context comes only from the related T1461 technique. This take does not assert active exploitation, attribution, guaranteed observability, or complete detection coverage.

Official MITRE ATT&CK definition

Detection of Lockscreen Bypass

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1461 Lockscreen Bypass This object detects Lockscreen Bypass.
Relationship explorer

All related ATT&CK context

detects · Technique T1461: Lockscreen Bypass Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bf3009eb756af5c1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bf3009eb756a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0645
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use