DET0655: Detection of Command and Scripting Interpreter
This detection strategy is about finding mobile command or scripting interpreter use associated with ATT&CK technique T1623. For leaders, the practical iss...
Analyst context for executives and security teams
This detection strategy is about finding mobile command or scripting interpreter use associated with ATT&CK technique T1623. For leaders, the practical issue is not the shell itself; it is that interpreter access can become a flexible way to run commands, scripts, or binaries on mobile systems. Because the supplied ATT&CK object has no official detection text, coverage should be treated as something to validate rather than assume.
Executive priority
Prioritize this as a mobile security readiness question: can the organization see and investigate suspicious command execution paths on Android and iOS environments where those devices matter to operations, identity access, regulated data, or incident response scope? Security leaders should ask whether mobile telemetry, MDM controls, debugging exposure, and SOC triage procedures provide enough evidence to support incident decisions and compliance narratives.
Technical view
The supplied detection strategy detects T1623, Command and Scripting Interpreter, in the mobile ATT&CK domain. The related technique notes that adversaries may abuse command and script interpreters to execute commands, scripts, or binaries, and that Android includes a Unix-like shell accessible through Android Debug Bridge. SOC and detection teams should validate whether mobile security tooling can observe interpreter invocation, command execution indicators, debugging/ADB exposure on Android, and related process or application activity. Because ATT&CK provides no official detection logic here, analytics should be locally derived and tested against expected administrative, developer, and support workflows.
Likely telemetry
- Mobile device management or enterprise mobility management compliance and configuration records
- Mobile threat defense or mobile EDR events where deployed
- Android debugging and ADB-related state, connection, or policy evidence
- Application, system, and process execution metadata where available from mobile platforms or security agents
- Device inventory and ownership context to distinguish managed, developer, test, and production devices
Detection direction
- Map detections to T1623 rather than to a tactic, because the supplied object does not specify tactics.
- Validate Android and iOS coverage separately; the relationship identifies both as related platforms, but available telemetry and control points differ significantly.
- On Android, specifically review whether ADB/debugging exposure and shell access are visible, governed, and alertable where relevant.
- Tune for legitimate developer, support, testing, and device-management activity to reduce false positives.
- Use device role, ownership, enrollment status, user context, and recent configuration changes as triage pivots.
Mitigation priorities
- Establish an inventory of managed mobile devices and identify where Android and iOS command execution visibility is required for business risk reasons.
- Restrict or govern debugging and administrative access paths, especially Android ADB, according to enterprise mobile policy.
- Ensure MDM or equivalent controls enforce baseline configuration, enrollment, and compliance status for devices in scope.
- Deploy or validate mobile security telemetry where interpreter abuse would be material to incident response or compliance evidence.
- Create IR playbooks for suspected mobile command execution that include device isolation, evidence preservation, user context review, and escalation criteria.
Analyst notes and limits
This take is based on a detection strategy object with external ID DET0655 and its relationship to T1623. The most important analyst action is coverage validation: confirm what the organization can actually see on mobile endpoints before writing detections or promising monitoring outcomes.
The supplied ATT&CK object has no official description, no official detection text, no tactics, and no platforms on the detection strategy itself. Platform context comes only from the related T1623 technique, which lists Android and iOS. Local telemetry, tooling, and mobile management architecture are required to turn this into operational detection logic.
Detection of Command and Scripting Interpreter
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1623 | Command and Scripting Interpreter | This object detects Command and Scripting Interpreter. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6ed60dc53f9f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0655Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.