Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0647: Detection of Event Triggered Execution

DET0647 is a mobile ATT&CK detection strategy for identifying event-triggered execution related to Android persistence. The business significance is that m...

MobileDET0647Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0647 is a mobile ATT&CK detection strategy for identifying event-triggered execution related to Android persistence. The business significance is that malicious code may be configured to run automatically after events such as device boot, SMS receipt, or other device activity, allowing persistence without an obvious user action. For leaders, this is a mobile endpoint resilience and incident-response readiness issue: if mobile telemetry does not show which apps register for system events and when they execute, persistence can be difficult to confirm or disprove during an investigation.

Executive priority

Prioritize this where Android devices are material to operations, executive communications, field work, regulated workflows, or bring-your-own-device risk. Ask whether mobile security operations can produce evidence of app event subscriptions, boot-time execution, SMS-related triggers, and suspicious repeated background execution. This helps support incident scoping, compliance evidence, and decisions about whether mobile device management, mobile threat defense, or app governance controls are sufficient.

Technical view

The supplied ATT&CK object has no official detection text and no platform listed on the detection strategy itself, but its relationship detects T1624, Event Triggered Execution, in the mobile domain, with Android as the related platform. SOC and IR teams should validate visibility into Android mechanisms that allow apps or components to execute in response to system or device events. Detection engineering should focus on identifying unusual or risky event subscriptions and correlating them with subsequent execution behavior, especially around boot completion, SMS receipt, and other device activities referenced by the related technique.

Likely telemetry

  • Mobile device management or mobile threat defense inventory of installed Android apps and permissions
  • Android application manifest or component metadata showing event receivers or equivalent event subscriptions
  • Device security logs or mobile EDR/MTD telemetry showing app execution after system events
  • Boot-time and background execution activity from managed Android devices
  • SMS-related permission and event activity where available and legally/organizationally appropriate

Detection direction

  • Validate that detection coverage is based on observable event-triggered execution behavior, not only static app reputation.
  • Correlate event subscription metadata with actual execution following relevant events such as boot completion or SMS receipt.
  • Tune for legitimate mobile management, messaging, security, accessibility, and productivity apps that may validly subscribe to common events.
  • Prioritize anomalous combinations: newly installed or rarely used apps, broad permissions, background execution, and repeated execution after device events.
  • Confirm whether unmanaged or BYOD Android devices are outside collection scope, because that may create a material blind spot.

Mitigation priorities

  • Establish mobile asset and ownership scope first, including which Android devices are managed, monitored, or excluded.
  • Enforce app governance through approved app sources, application allow/block decisions, and review of risky permissions where supported by local controls.
  • Ensure mobile security tooling can collect app metadata and execution evidence needed for IR, not just compliance inventory.
  • Apply least-privilege and mobile management policies that limit unnecessary background activity or high-risk permissions where feasible.
  • Document telemetry retention and investigation procedures so event-triggered persistence can be assessed during mobile incidents.
Analyst notes and limits

This take is constrained by sparse official fields: DET0647 has no ATT&CK-provided description or detection text. The practical guidance is derived from the supplied relationship showing that the strategy detects T1624, Event Triggered Execution, in the mobile ATT&CK domain, and from the related technique description referencing Android event mechanisms such as SMS receipt and device boot completion.

No active exploitation, actor attribution, prevalence, specific tooling, or guaranteed detection coverage is supported by the supplied data. Local device management model, telemetry availability, privacy rules, and mobile security tooling determine what can actually be detected or proven.

Official MITRE ATT&CK definition

Detection of Event Triggered Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1624 Event Triggered Execution This object detects Event Triggered Execution.
Relationship explorer

All related ATT&CK context

detects · Technique T1624: Event Triggered Execution Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
87cef5df653d7fb0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 87cef5df653d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0647
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use