Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0694: Detection of Hijack Execution Flow

DET0694 is a MITRE ATT&CK mobile detection strategy for identifying Hijack Execution Flow behavior related to Android technique T1625. The business issue i...

MobileDET0694Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0694 is a MITRE ATT&CK mobile detection strategy for identifying Hijack Execution Flow behavior related to Android technique T1625. The business issue is persistence and unauthorized code execution: if an attacker can influence how a mobile OS or app resolves programs or libraries, malicious payloads may run repeatedly without looking like a normal standalone app launch.

Executive priority

Treat this as a mobile security validation priority where Android devices, mobile apps, or bring-your-own-device access support sensitive workflows. Leaders should ask whether mobile telemetry, MDM controls, app integrity checks, and incident response playbooks can prove when execution flow has been altered. Because the ATT&CK object has no official detection text or platform field of its own, coverage decisions should be based on the related Android technique and local mobile risk, not assumed from the detection strategy alone.

Technical view

SOC and detection engineering teams should validate whether they can observe suspicious changes in Android application execution paths, library resolution behavior, app installation or update events, and persistence-like re-execution patterns. Since DET0694 provides no official detection logic, detection content should be derived from the related T1625 behavior and tested against approved mobile application baselines. IR teams should be prepared to compare affected devices and apps against known-good application packages, expected library locations, and recent configuration or installation changes.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance events
  • Android application install, update, removal, and permission-change records
  • Mobile threat defense or endpoint telemetry showing app launch and execution anomalies
  • Application package integrity, signing, and version metadata
  • Evidence of unexpected library or executable resolution paths where available

Detection direction

  • Start by confirming whether mobile telemetry can support the related Android technique T1625; the detection strategy itself does not specify platforms or detection logic.
  • Baseline expected app packages, signatures, versions, and library locations so deviations can be reviewed as potential execution-flow hijacking indicators.
  • Correlate suspicious app execution changes with recent installs, updates, sideloading indicators, permission changes, or device compliance state.
  • Tune for false positives from legitimate app updates, enterprise mobile app wrapping, developer/test builds, and sanctioned security tooling.
  • Document blind spots where mobile OS restrictions, privacy settings, unmanaged BYOD, or lack of mobile threat defense prevent collection of execution or library-loading evidence.

Mitigation priorities

  • Prioritize mobile application control and device compliance requirements for Android devices that access business-critical data.
  • Restrict unmanaged or noncompliant devices from sensitive applications where telemetry and integrity assurance are insufficient.
  • Use trusted app distribution, package signing validation, and update governance to reduce opportunities for unauthorized execution-flow changes.
  • Maintain incident response procedures for mobile device isolation, evidence preservation, app integrity review, and credential/session revocation when hijacking is suspected.
  • Use detection validation results as compliance evidence for mobile security monitoring and control effectiveness, noting any unsupported telemetry gaps.
Analyst notes and limits

This take is based on the official DET0694 metadata and its relationship to T1625 Hijack Execution Flow in the mobile ATT&CK domain. The related technique explicitly references Android and describes adversaries hijacking how the operating system runs applications or locates programs and libraries, potentially supporting persistence. No ATT&CK tactics, aliases, labels, official description, or official detection guidance were supplied for DET0694.

The source object is sparse: platforms and tactics are not specified for the detection strategy, and no official detection text is provided. Recommendations therefore describe validation direction rather than confirmed analytics. Local mobile management architecture, Android fleet scope, application inventory, and available telemetry are required to determine actual coverage.

Official MITRE ATT&CK definition

Detection of Hijack Execution Flow

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1625 Hijack Execution Flow This object detects Hijack Execution Flow.
Relationship explorer

All related ATT&CK context

detects · Technique T1625: Hijack Execution Flow Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a381623c234edb1b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a381623c234e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0694
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use