DET0666: Detection of Exploitation for Initial Access
DET0666 is a mobile ATT&CK detection strategy for identifying exploitation used to gain initial access to mobile devices. Its practical value is not a sing...
Analyst context for executives and security teams
DET0666 is a mobile ATT&CK detection strategy for identifying exploitation used to gain initial access to mobile devices. Its practical value is not a single alert rule; it is a coverage question: can the organization recognize signs that Android or iOS devices were compromised through vulnerable apps, services, the operating system, or kernel, including low- or no-interaction exploit paths referenced by the related technique?
Executive priority
Treat this as a mobile resilience and incident-readiness priority. Mobile devices often carry executive communications, identity tokens, business apps, and sensitive data, so initial access through exploitation can create material risk even when traditional endpoint telemetry is strong. Leaders should ask whether mobile vulnerability management, device health visibility, incident response procedures, and evidence collection are mature enough to support decisions during a suspected mobile compromise.
Technical view
The supplied ATT&CK object has no official detection text, tactics, or platform field, but it detects mobile technique T1664, Exploitation for Initial Access, whose related platforms are Android and iOS. SOC and IR teams should validate whether they can correlate mobile OS/application vulnerability exposure, device state changes, crash or diagnostic artifacts, MDM/UEM signals, and security telemetry around suspected exploitation. Detection engineering should focus on evidence that distinguishes exploit-driven initial access from normal app instability, user-driven installation, or routine OS behavior.
Likely telemetry
- MDM/UEM device inventory, compliance, OS version, patch level, jailbreak/root, and device health signals
- Mobile application inventory and version data for exposure assessment
- Mobile OS, application, crash, diagnostic, and security logs where available
- Network security telemetry associated with mobile device communications
- Identity and access logs for mobile-originated sessions after suspected compromise
Detection direction
- Validate that Android and iOS telemetry sources exist before assuming DET0666 coverage; the strategy object itself does not provide a concrete analytic.
- Correlate vulnerability exposure with abnormal device behavior, app crashes, security state changes, or unusual post-access identity activity.
- Tune for high false-positive risk from benign app crashes, OS updates, device misconfiguration, and normal mobile roaming/network behavior.
- Use the relationship to T1664 to scope detection around exploitation for initial access rather than later-stage mobile activity.
- Confirm escalation paths for suspected zero-click or low-interaction cases, where user reports may be absent or unreliable.
Mitigation priorities
- Prioritize timely mobile OS and application patching based on exposure and business criticality.
- Maintain accurate mobile asset, OS, and application inventory for Android and iOS fleets.
- Enforce mobile device management and compliance controls where organizationally appropriate.
- Prepare mobile incident response procedures, including preservation, containment, and forensic collection decision points.
- Review access controls and session risk handling for business applications accessed from mobile devices.
Analyst notes and limits
This take is based on DET0666 and its relationship to T1664 only. The most defensible use is as a coverage validation prompt for mobile exploitation-based initial access, not as a ready-made detection rule. Local device management architecture, mobile logging availability, and legal/privacy constraints will determine what evidence can actually be collected.
The official object provides no description, no detection logic, no tactics, and no platform field. Android and iOS are supported only through the related T1664 technique. No claim is made about active exploitation, actor attribution, customer exposure, or guaranteed detection coverage.
Detection of Exploitation for Initial Access
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1664 | Exploitation for Initial Access | This object detects Exploitation for Initial Access. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ee846147db57… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0666Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.