Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0692: Detection of Process Discovery

DET0692 is a mobile ATT&CK detection strategy for identifying Process Discovery behavior related to technique T1424. In business terms, this matters becaus...

MobileDET0692Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0692 is a mobile ATT&CK detection strategy for identifying Process Discovery behavior related to technique T1424. In business terms, this matters because an adversary learning what apps or processes are running on a mobile device may use that knowledge to decide whether to continue, avoid controls, or choose follow-on actions. For security leaders, the key question is whether mobile security monitoring can show when process-enumeration behavior occurs on Android and iOS devices that matter to the organization.

Executive priority

Prioritize this as a mobile visibility and incident-readiness gap rather than as a standalone high-confidence detection, because the supplied ATT&CK object does not include official detection logic, tactics, or platform fields for the detection strategy itself. Leaders should ask whether managed detection, mobile device management, endpoint/mobile telemetry, and incident response processes can produce evidence of suspicious process discovery on Android and iOS, especially for regulated users, executives, privileged operators, or cyber-physical operations supported by mobile devices.

Technical view

SOC and detection teams should treat DET0692 as a validation prompt for T1424 Process Discovery in the mobile domain. Since the detection strategy has no official detection text, teams should map local telemetry to evidence of applications or system components querying running processes, app state, or comparable process/application inventory information on Android and iOS. Detection engineering should focus on distinguishing expected administrative, diagnostics, security, or device-management activity from unusual app behavior that appears to enumerate running processes and then proceeds to other suspicious mobile actions.

Likely telemetry

  • Mobile security or EDR alerts and behavioral events from Android and iOS devices
  • Mobile device management or enterprise mobility management inventory and compliance logs
  • Application telemetry showing process, app-state, or running-application queries where available
  • Operating system audit, privacy, or diagnostic logs available from managed mobile devices
  • Incident response mobile triage artifacts showing running applications, suspicious app behavior, or discovery activity

Detection direction

  • Confirm what Android and iOS telemetry is actually collected; the ATT&CK object does not provide detection logic or guaranteed data sources.
  • Baseline legitimate process or application inventory activity from MDM, security tools, diagnostics, and enterprise apps to reduce false positives.
  • Look for process-discovery behavior in sequence with other suspicious mobile events rather than relying on a single process-enumeration signal.
  • Validate coverage separately for Android and iOS because available visibility, permissions, and logging differ by platform and management model.
  • Document blind spots for unmanaged devices, personally owned devices, privacy-restricted telemetry, and apps outside enterprise control.

Mitigation priorities

  • Start with mobile asset and management coverage: know which Android and iOS devices are in scope and whether they can provide usable security telemetry.
  • Apply least-privilege and application governance so untrusted or unnecessary apps have limited opportunity to collect device context.
  • Use mobile threat defense, MDM, or equivalent controls where appropriate to monitor suspicious app behavior and support response evidence collection.
  • Integrate mobile alerts and triage procedures into SOC and incident response workflows so process discovery can be correlated with follow-on activity.
  • Maintain compliance evidence showing mobile monitoring scope, known telemetry limitations, and response procedures for high-risk user groups.
Analyst notes and limits

The supplied ATT&CK detection strategy is sparse: no official description, no official detection guidance, no tactics, and no platforms listed on the DET0692 object itself. The practical interpretation comes from its relationship to T1424 Process Discovery in the mobile domain, where the related technique lists Android and iOS and describes adversaries seeking information about running processes to inform later behavior.

This take does not assert active exploitation, attribution, prevalence, or existing detection coverage. Local validation is required to determine whether Android and iOS devices generate sufficient telemetry and whether enterprise tools can distinguish benign process/application inventory activity from suspicious discovery behavior.

Official MITRE ATT&CK definition

Detection of Process Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1424 Process Discovery This object detects Process Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1424: Process Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
931b516087dda15c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 931b516087dd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0692
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use