Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0660: Detection of Data Manipulation

DET0660 is a mobile ATT&CK detection strategy for identifying Data Manipulation behavior related to T1641. The business significance is that manipulated mo...

MobileDET0660Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0660 is a mobile ATT&CK detection strategy for identifying Data Manipulation behavior related to T1641. The business significance is that manipulated mobile or application data can distort decisions, business processes, investigations, or evidence trails even when systems remain available. Because MITRE provides no official detection text for this strategy, teams should treat it as a coverage-planning prompt: confirm whether critical Android-supported workflows have enough auditability to prove what data changed, who or what changed it, and whether the change was authorized.

Executive priority

Prioritize this where mobile applications influence financial, operational, safety, compliance, or customer-facing decisions. Leaders should ask which business processes would be harmed if data were inserted, deleted, or altered without immediate detection, and whether current logging can support incident response and audit evidence. The key investment question is not just endpoint visibility, but whether systems of record and mobile app backends can reconstruct data integrity events.

Technical view

The related ATT&CK technique is T1641 Data Manipulation in the mobile domain, with Android listed on the related technique. SOC, detection engineering, and IR teams should validate telemetry across the mobile app, backend services, and data stores that process Android-originated activity. Since no MITRE detection logic is supplied, detections should focus on unauthorized or abnormal create/update/delete activity, integrity mismatches, changes inconsistent with user role or workflow, and data changes that coincide with suspicious authentication or device context. Tune carefully against legitimate administrative actions, sync behavior, offline writes, and application maintenance activity.

Likely telemetry

  • Application audit logs showing create, update, delete, and administrative data actions
  • Backend API and transaction logs tied to mobile application activity
  • Database change logs, integrity checks, or record-level history where available
  • Authentication, authorization, and session logs for users, service accounts, and mobile clients
  • Android device or application logs where collected and relevant to the protected workflow

Detection direction

  • Identify high-value data objects and workflows where insert, delete, or alteration would affect business decisions or hide activity.
  • Validate that logs can answer: what changed, previous value, new value, actor, device or application context, time, and approval path.
  • Correlate data changes with authentication context, privilege level, mobile device context, and application workflow state.
  • Create baselines for normal data-change volume and sequence, then alert on changes outside role, time, location, device, or process expectations where those fields exist.
  • Account for false positives from legitimate administration, bulk imports, synchronization, offline mobile writes, testing, and data correction workflows.

Mitigation priorities

  • Start with business impact scoping: identify mobile-enabled systems where altered data could affect operations, compliance evidence, or decision-making.
  • Enforce least-privilege access and separation of duties for users, service accounts, and administrative functions that can modify critical data.
  • Require durable audit logging for sensitive data changes, including actor and before/after context where feasible.
  • Use integrity validation, reconciliation, and approval workflows for high-risk records or transactions.
  • Maintain recoverability through backups, version history, or rollback procedures for critical datasets.
Analyst notes and limits

This take is based on the supplied DET0660 detection strategy metadata and its relationship to T1641 Data Manipulation. The ATT&CK entry is sparse: no official description, detection text, tactics, aliases, or strategy platform were provided. The related technique description supports focusing on insertion, deletion, or alteration of data to influence outcomes or hide activity, and the related technique lists Android.

Local architecture is required to turn this into actionable detection logic. ATT&CK does not provide specific analytics, data sources, severity, prevalence, or control mappings for this detection strategy in the supplied fields. Do not infer active exploitation, attribution, or existing coverage from this object alone.

Official MITRE ATT&CK definition

Detection of Data Manipulation

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1641 Data Manipulation This object detects Data Manipulation.
Relationship explorer

All related ATT&CK context

detects · Technique T1641: Data Manipulation Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2ae87a0c79d415f2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2ae87a0c79d4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0660
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use