Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0676: Detection of GUI Input Capture

DET0676 is a mobile ATT&CK detection strategy for identifying GUI Input Capture, a behavior where an adversary may imitate legitimate mobile operating syst...

MobileDET0676Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0676 is a mobile ATT&CK detection strategy for identifying GUI Input Capture, a behavior where an adversary may imitate legitimate mobile operating system or application prompts to trick users into entering credentials, financial data, or PII. For leaders, the practical issue is not just malware detection; it is whether mobile users, SOC workflows, and incident response processes can recognize and respond to deceptive prompts that can undermine identity security and data protection.

Executive priority

Prioritize this as a mobile identity and sensitive-data protection concern. Because the related technique applies to Android and iOS, executives should ask whether mobile device visibility, user reporting paths, and incident response playbooks can support investigations involving suspicious credential or PII prompts. This also has compliance relevance where evidence is needed that the organization can detect, triage, and respond to attempts to capture regulated or sensitive information on mobile endpoints.

Technical view

The official detection strategy object does not provide a description, platform list, tactics, or detection logic. The only supported technical scope comes from its relationship to T1417.002 GUI Input Capture in the mobile domain, with related platforms Android and iOS. SOC and detection engineering teams should therefore validate whether existing mobile security telemetry can surface suspicious or deceptive GUI prompt behavior, user-reported credential prompts, anomalous app behavior, and investigation context around apps presenting sensitive-input requests.

Likely telemetry

  • Mobile device security alerts or mobile threat defense events, where deployed
  • Mobile application inventory and app reputation or provenance data
  • User reports of suspicious credential, banking, PII, or permission prompts
  • Mobile OS and application event context available from managed Android or iOS devices
  • Identity telemetry for unusual authentication attempts following reported mobile prompt activity

Detection direction

  • Confirm whether detection coverage exists for the related mobile technique T1417.002 rather than assuming DET0676 contains deployable logic; the supplied ATT&CK object has no official detection text.
  • Validate collection separately for Android and iOS because the related technique lists both platforms, and telemetry depth may differ significantly by platform and management model.
  • Tune triage to distinguish legitimate OS or application prompts from suspicious mimicry; false positives are likely if detections key only on the presence of sensitive-input prompts.
  • Correlate mobile reports or alerts with identity events, such as unusual sign-ins or credential-use anomalies, to increase confidence without claiming the GUI prompt alone proves compromise.
  • Review SOC intake paths for user-reported suspicious mobile prompts, since deceptive GUI behavior may be first observed by the user rather than by automated telemetry.

Mitigation priorities

  • Establish or verify managed mobile visibility for Android and iOS devices in scope.
  • Maintain mobile application inventory and approval controls so investigators can quickly assess which app presented a prompt.
  • Strengthen user reporting and awareness for suspicious mobile credential, financial, or PII prompts without relying on users as the only control.
  • Connect mobile incident response with identity response, including credential reset and session review procedures when sensitive-input capture is suspected.
  • Document available telemetry, response steps, and evidence retention to support compliance and post-incident review.
Analyst notes and limits

This take is based on the detection strategy metadata and its relationship to T1417.002 GUI Input Capture. The source object is sparse: no official description, tactics, platforms, or detection logic are provided for DET0676 itself. The business value is in using the relationship to drive validation of mobile telemetry, identity correlation, and response readiness.

No active exploitation, actor attribution, impact level, detection efficacy, or deployable analytics are supplied. Platforms are not specified on the detection strategy object; Android and iOS are referenced only through the related GUI Input Capture technique. Local mobile management architecture and telemetry availability are required to determine actual coverage.

Official MITRE ATT&CK definition

Detection of GUI Input Capture

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1417.002 GUI Input Capture Sub-technique This object detects GUI Input Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1417.002: GUI Input Capture Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
55d6588b6aedc3be...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 55d6588b6aed…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0676
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use