Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0661: Detection of Keylogging

DET0661 is a mobile ATT&CK detection strategy for keylogging behavior. Its business significance is credential and sensitive data exposure on Android and i...

MobileDET0661Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0661 is a mobile ATT&CK detection strategy for keylogging behavior. Its business significance is credential and sensitive data exposure on Android and iOS devices, especially where employees use mobile devices for email, identity prompts, business apps, or privileged workflows. The supplied ATT&CK object has no official detection text, so the value is in using the relationship to T1417.001 to verify whether mobile security, IAM, and SOC processes can recognize risky keyboard authorization or accessibility abuse patterns before they become an incident blind spot.

Executive priority

Treat this as a mobile identity and data-protection readiness question: do teams know when a device, user, or app configuration could enable keystroke capture? Leaders should ask whether mobile telemetry, app approval processes, user education, and incident response playbooks cover third-party keyboard authorization and accessibility-feature abuse on Android and iOS. This also supports audit and compliance evidence around mobile device governance, credential protection, and monitoring assumptions.

Technical view

The detection strategy object itself does not provide detection logic, platforms, or tactics, but it detects ATT&CK technique T1417.001 Keylogging in the mobile domain. SOC and detection teams should validate coverage around Android and iOS evidence associated with third-party keyboard use and accessibility feature abuse. IR teams should be prepared to review installed apps, keyboard/input method settings, accessibility permissions, device management state, and user authorization history where available. Because the official detection field is absent, local engineering must define analytic criteria from available mobile telemetry and policy controls rather than assuming ATT&CK provides a ready-made rule.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance records
  • Installed mobile application inventory, including keyboard/input method apps where available
  • Android and iOS permission, accessibility, and keyboard configuration evidence where available
  • Mobile threat defense or endpoint security alerts related to suspicious app behavior or risky permissions
  • Identity telemetry for unusual credential use following suspected mobile exposure

Detection direction

  • Confirm whether Android and iOS telemetry can show third-party keyboard authorization, accessibility feature enablement, and related app inventory changes.
  • Tune detections to distinguish expected enterprise-approved keyboards or accessibility tools from newly installed, unapproved, or suspicious apps requesting sensitive input-related capabilities.
  • Correlate mobile configuration changes with identity events, especially failed logins, new device sign-ins, or anomalous access, while avoiding claims that identity anomalies alone prove keylogging.
  • Document blind spots where personal devices, unmanaged mobile devices, or limited OS telemetry prevent reliable visibility.
  • Use the relationship to T1417.001 as context for detection engineering, but do not treat DET0661 as a complete analytic because the official detection guidance is not supplied.

Mitigation priorities

  • Prioritize mobile governance for Android and iOS: approved app sources, managed app inventory, and review of third-party keyboard and accessibility permissions.
  • Educate users to exercise caution before authorizing third-party keyboard apps or accessibility access, as specifically supported by the related ATT&CK technique description.
  • Where enterprise controls allow it, restrict or monitor unapproved keyboards, risky accessibility permissions, and unmanaged apps handling sensitive workflows.
  • Integrate mobile findings with IAM response processes, including credential reset decisions when keystroke capture is reasonably suspected.
  • Ensure incident response playbooks include mobile device triage and evidence collection for keyboard, accessibility, and installed-app state.
Analyst notes and limits

This take is based on the ATT&CK detection strategy DET0661 and its stated relationship detecting mobile technique T1417.001 Keylogging. The strongest supported context is mobile keylogging via legitimate-looking third-party keyboards and abuse of accessibility features, with Android and iOS identified by the related technique. No vendor-specific analytics, exploit claims, actor attribution, or active exploitation are supported by the supplied fields.

The DET0661 object has no official description, no official detection text, no listed tactics, and no platforms directly on the detection strategy. Practical detection guidance must therefore be derived from the related T1417.001 technique and validated against local mobile management, security, and identity telemetry. Coverage will vary significantly based on device ownership model, OS restrictions, and whether devices are managed.

Official MITRE ATT&CK definition

Detection of Keylogging

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1417.001 Keylogging Sub-technique This object detects Keylogging.
Relationship explorer

All related ATT&CK context

detects · Technique T1417.001: Keylogging Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5c1ae61701dc741c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5c1ae61701dc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0661
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use