Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0671: Detection of Data Destruction

DET0671 is a MITRE ATT&CK detection strategy for mobile Data Destruction behavior. Its business significance is availability: on Android devices, destructi...

MobileDET0671Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0671 is a MITRE ATT&CK detection strategy for mobile Data Destruction behavior. Its business significance is availability: on Android devices, destructive commands such as package removal or file deletion can disrupt access to applications, data, services, and response evidence. For leaders, this is less about a single alert and more about whether the organization can recognize destructive activity quickly enough to preserve operations, protect evidence, and make informed incident-response decisions.

Executive priority

Treat this as a resilience and incident-readiness concern for mobile environments where Android devices support business operations. Security leaders should ask whether mobile logging, device management, backup/recovery expectations, and incident escalation paths can support a fast decision when destructive activity is suspected. Because the ATT&CK object provides no official detection logic, priority should be placed on validating evidence availability and response procedures rather than assuming tool coverage.

Technical view

This detection strategy is associated with ATT&CK mobile technique T1662, Data Destruction, and the related platform context provided is Android. SOC, detection engineering, and IR teams should validate whether they can observe destructive indicators such as application uninstall activity and file removal activity on managed Android devices, especially where those actions affect business-critical apps or data. Since the official detection field is not provided, detection content should be locally engineered and tested against approved administrative activity, user-initiated removals, device wipe workflows, and expected mobile device management actions to reduce false positives.

Likely telemetry

  • Mobile device management or enterprise mobility management events for Android devices
  • Android application inventory and package uninstall events
  • Device compliance and state-change records
  • File deletion or storage change evidence where available from mobile security tooling
  • Security alerts from mobile threat defense or endpoint controls, if deployed

Detection direction

  • Confirm that Android device telemetry is actually collected, retained, and searchable for package uninstall and file removal activity relevant to business-critical applications or data.
  • Correlate suspected destructive activity with device ownership, management status, user role, recent security alerts, and mobile device management actions.
  • Tune detections to distinguish malicious or suspicious destruction from legitimate user cleanup, help desk activity, application lifecycle management, and authorized remote wipe workflows.
  • Prioritize alerting when destructive activity is high-volume, targets protected business applications or data, follows other suspicious mobile events, or occurs on devices tied to sensitive operations.
  • Document telemetry gaps explicitly, because this ATT&CK detection strategy does not include official detection analytics or platform coverage beyond the related Android technique context.

Mitigation priorities

  • Establish mobile data recovery expectations first: backups, synchronization, and restore procedures for business-critical Android use cases.
  • Ensure Android devices that support business operations are enrolled in managed mobile controls where organizational policy requires it.
  • Limit unnecessary administrative or high-risk device actions where feasible through mobile management policy and least-privilege operating procedures.
  • Create incident response playbooks for suspected mobile data destruction, including preservation, containment, user communication, and recovery decision points.
  • Maintain audit-ready records of mobile device management actions, authorized wipes, application removals, and recovery tests to support compliance and post-incident review.
Analyst notes and limits

The source object is a detection strategy with no official description, no official detection text, and no tactics or platforms specified on the strategy itself. The practical guidance here is derived from the supplied relationship showing that DET0671 detects mobile ATT&CK technique T1662, Data Destruction, whose provided context references Android and examples such as package uninstall and file removal commands.

Coverage cannot be inferred from ATT&CK alone. Local mobile management architecture, Android enrollment model, logging permissions, retention, privacy constraints, and tooling determine whether this behavior can be detected or investigated. The supplied relationship description is truncated, and no official analytic logic is provided.

Official MITRE ATT&CK definition

Detection of Data Destruction

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1662 Data Destruction This object detects Data Destruction.
Relationship explorer

All related ATT&CK context

detects · Technique T1662: Data Destruction Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c4f6a96581324eb7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c4f6a9658132…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0671
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use