Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0680: Detection of Security Software Discovery

DET0680 is a mobile ATT&CK detection strategy for identifying attempts to discover security software on a device. The business significance is that this be...

MobileDET0680Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0680 is a mobile ATT&CK detection strategy for identifying attempts to discover security software on a device. The business significance is that this behavior can be an early decision point for an adversary: the related ATT&CK technique notes that adversaries may use knowledge of installed mobile security products or configurations to decide whether to continue infection or choose follow-on actions. For leaders, this makes it relevant to mobile endpoint assurance, incident triage, and validating whether mobile security telemetry can show when attackers are profiling defenses.

Executive priority

Treat this as a mobile security visibility and response-readiness question rather than a standalone control. Executives and security leaders should ask whether Android and iOS devices in scope generate usable evidence when apps or processes attempt to enumerate security applications or security configurations, and whether SOC or IR teams can act on that signal before follow-on activity occurs. It can support audit and risk discussions around mobile device monitoring, managed detection coverage, and incident escalation criteria, but the supplied ATT&CK object does not include a specific detection method or mitigation.

Technical view

The detection strategy is linked to ATT&CK mobile technique T1418.001, Security Software Discovery, for Android and iOS. SOC and detection engineering teams should validate whether mobile telemetry can expose attempts to list installed security applications, inspect security-related configurations, or otherwise profile defensive tooling. Because the official detection field is not provided and the detection strategy lists no platforms itself, detection logic should be derived from locally available mobile device management, mobile threat defense, endpoint, application, and device event sources rather than assumed from ATT&CK alone.

Likely telemetry

  • Mobile device inventory and installed application records
  • Mobile security or mobile threat defense events related to application enumeration or suspicious discovery behavior
  • Mobile device management compliance and configuration state changes
  • Application behavior logs where available for Android and iOS
  • Incident response collection from affected mobile devices, including app lists and security configuration state

Detection direction

  • Map existing mobile telemetry to the related technique T1418.001 and confirm whether Android and iOS monitoring can reveal security software or configuration discovery attempts.
  • Tune alerts around unusual or unauthorized enumeration of installed security applications, while accounting for benign sources such as device management agents, security products, inventory tools, and legitimate support workflows.
  • Use this behavior as contextual enrichment: discovery of security tooling may be more meaningful when followed by additional suspicious mobile activity.
  • Document blind spots where personal devices, unmanaged devices, privacy restrictions, or limited mobile logging prevent reliable observation.
  • Because MITRE provides no official detection text for DET0680, require local validation before representing this as covered in managed detection, compliance evidence, or executive reporting.

Mitigation priorities

  • Prioritize mobile asset and application inventory so defenders know which devices and security applications should be visible.
  • Ensure mobile device management or equivalent governance is in place for in-scope Android and iOS devices where business policy allows.
  • Validate that mobile security tooling and incident response procedures can capture installed app and configuration evidence during investigations.
  • Define SOC triage guidance for security software discovery events, including when to escalate based on surrounding mobile activity.
  • Use compliance and readiness reviews to identify unmanaged or low-telemetry mobile populations that would make this behavior difficult to detect.
Analyst notes and limits

This take is based on the DET0680 detection strategy object and its relationship to T1418.001 Security Software Discovery. The ATT&CK object does not provide an official description, official detection text, tactics, or detection-strategy platforms. The related technique identifies Android and iOS as platforms and describes adversaries listing security applications and configurations to shape follow-on behavior.

The supplied data is sparse. No active exploitation, actor attribution, specific detection analytic, data source list, mitigation, or guaranteed platform coverage is provided for DET0680. Any operational detection plan must be confirmed against the organization’s actual mobile telemetry, management scope, privacy constraints, and response procedures.

Official MITRE ATT&CK definition

Detection of Security Software Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1418.001 Security Software Discovery Sub-technique This object detects Security Software Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1418.001: Security Software Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f0742d11b1d97bb3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f0742d11b1d9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0680
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use