Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0693: Detection of Disable or Modify Tools

This detection strategy is about recognizing when an adversary disables or tampers with mobile security tooling. For business leaders, the practical issue...

MobileDET0693Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about recognizing when an adversary disables or tampers with mobile security tooling. For business leaders, the practical issue is loss of visibility: if endpoint or mobile controls stop scanning, reporting, or enforcing policy, incident responders may be making decisions with incomplete evidence. The related ATT&CK technique is Android-focused and includes abuse of device administrator permissions or root-level access to interfere with security tools or protected system files.

Executive priority

Prioritize this as a mobile resilience and assurance issue rather than only a malware alert. Leaders should ask whether managed mobile devices can prove that security agents, policy enforcement, and device health signals remain intact during an incident. This matters for incident triage, compliance evidence, and confidence in mobile access to business systems, especially where Android devices are used for privileged workflows, field operations, or access to sensitive applications.

Technical view

MITRE provides no official detection text for DET0693, so SOC and IR teams should validate coverage against the related technique T1629.003: Disable or Modify Tools. Defensive validation should focus on Android evidence showing changes to security tool state, device administrator permission abuse, SELinux configuration changes, root indicators, protected system file modification, or gaps in expected security tool reporting. Because tactics and platforms are not specified on the detection-strategy object itself, detection design should be anchored to the related Android technique and local mobile management architecture.

Likely telemetry

  • Mobile device management or enterprise mobility management compliance state
  • Android security agent health and heartbeat data
  • Device administrator permission changes
  • Application enablement, disablement, uninstall, or tamper events for security tools
  • Root or system integrity indicators

Detection direction

  • Confirm that alerts exist for security tool disablement, unexpected policy removal, agent heartbeat loss, or tamper events on Android devices.
  • Correlate security tool state changes with device administrator permission changes, root indicators, and system integrity changes to reduce false positives from legitimate maintenance or enrollment actions.
  • Treat missing telemetry as a detection condition when a managed device suddenly stops reporting while still expected to be active.
  • Tune for authorized administrative workflows, device re-enrollment, software updates, and decommissioning so operational changes are not confused with adversary tampering.
  • Validate whether mobile telemetry is retained and accessible to SOC and IR teams quickly enough to support incident decisions.

Mitigation priorities

  • Define required mobile security tooling and reporting baselines for Android devices that access business systems.
  • Restrict and monitor device administrator permissions and other high-risk mobile management privileges.
  • Use mobile management policy to detect noncompliant, rooted, or security-tool-disabled devices and limit their access where appropriate.
  • Ensure incident response playbooks include steps for handling devices with missing or untrusted security telemetry.
  • Maintain audit evidence showing control health, policy enforcement, and exception handling for managed mobile devices.
Analyst notes and limits

DET0693 is a detection-strategy object with no official description or detection guidance supplied. The useful context comes from its relationship to T1629.003, Disable or Modify Tools, in the mobile ATT&CK domain. The strongest defensive value is validating whether Android security-control health is observable, alertable, and usable during incident response.

The detection-strategy object does not specify platforms, tactics, or official detection logic. The related technique identifies Android and describes likely mechanisms, but local device management design, security tooling, telemetry access, and retention determine actual coverage. This take does not assert active exploitation, attribution, or guaranteed detection.

Official MITRE ATT&CK definition

Detection of Disable or Modify Tools

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1629.003 Disable or Modify Tools Sub-technique This object detects Disable or Modify Tools.
Relationship explorer

All related ATT&CK context

detects · Technique T1629.003: Disable or Modify Tools Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
09a2024a7aaf4867...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 09a2024a7aaf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0693
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use