Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0677: Detection of Steganography

This detection strategy is meant to help identify mobile steganography behavior, where hidden information is concealed inside media or text files to avoid...

MobileDET0677Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is meant to help identify mobile steganography behavior, where hidden information is concealed inside media or text files to avoid notice. For security leaders, the practical issue is not the hiding method itself but the blind spot it creates: normal-looking files may carry covert data, making mobile investigations, data-loss analysis, and malware triage harder if teams only inspect filenames, extensions, or basic content metadata.

Executive priority

Treat this as a mobile defense and incident-readiness question: can the organization recognize suspicious use of images, audio, video, or text files on Android devices when those files may be used to hide data? Because the ATT&CK object provides no official detection logic, leaders should prioritize validation of existing mobile telemetry, file analysis capability, and IR procedures rather than assume coverage exists. This is most relevant where mobile devices handle sensitive business data or are in scope for compliance evidence and incident response.

Technical view

The supplied ATT&CK relationship states that DET0677 detects T1406.001, Steganography, in the mobile domain, with Android listed on the related technique. SOC and IR teams should validate whether their mobile security stack, device management data, endpoint/mobile logs, and forensic workflows can surface anomalous media or text file handling that may warrant deeper inspection. Because no ATT&CK tactics, platforms on the detection object, official description, or official detection analytics are provided, detection engineering should start with local baselining and investigative enrichment rather than a direct rule translation.

Likely telemetry

  • Mobile device inventory and Android device context where available
  • Mobile security or MDM/MAM events related to file access, transfer, sharing, or application behavior
  • File metadata for images, audio, video, and text files handled by mobile apps
  • Network or application telemetry showing unusual upload, download, or sharing of media/text files
  • Incident response forensic artifacts from Android devices, including application storage and user-accessible media locations

Detection direction

  • Confirm whether existing mobile monitoring can see file movement and app interactions involving digital media and text files, not only executable or package activity.
  • Baseline normal media/text file creation, access, sharing, and transfer patterns for managed Android use cases before alerting on anomalies.
  • Use relationship context to focus validation on T1406.001 Steganography rather than treating all media files as malicious.
  • Account for false positives from legitimate messaging, collaboration, camera, media editing, backup, and file-sharing applications.
  • Identify blind spots where personal devices, unmanaged apps, encrypted app storage, or limited mobile forensic access prevent inspection of suspicious files.

Mitigation priorities

  • Prioritize mobile asset and app visibility so responders know which Android devices and applications can create, store, or transmit relevant media/text files.
  • Ensure mobile incident response procedures include preservation and analysis of suspicious media and text files, not just application packages or network indicators.
  • Apply least-privilege and managed-app controls where appropriate to limit unnecessary access to sensitive data and file-sharing paths.
  • Use mobile security, DLP, or device management controls to govern high-risk file transfer channels when supported by the environment.
  • Maintain compliance evidence showing what mobile telemetry is collected, how suspicious files are escalated, and where unmanaged-device limitations remain.
Analyst notes and limits

The useful decision point is coverage validation: steganography can make ordinary file types operationally relevant during mobile investigations, but this ATT&CK detection strategy does not provide concrete analytics. Detection teams should therefore treat DET0677 as a prompt to assess telemetry depth, file-analysis workflow, and Android investigation readiness for the related technique T1406.001.

The supplied detection strategy has no official description, no official detection text, no tactics, and no platforms specified on the object itself. Android is supported only through the related Steganography technique. No active exploitation, attribution, impact, or guaranteed detection coverage is stated or implied by the supplied fields.

Official MITRE ATT&CK definition

Detection of Steganography

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1406.001 Steganography Sub-technique This object detects Steganography.
Relationship explorer

All related ATT&CK context

detects · Technique T1406.001: Steganography Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
16a79be96dd42e96...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 16a79be96dd4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0677
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use