Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0704: Detection of Compromise Software Dependencies and Development Tools

DET0704 is a mobile ATT&CK detection strategy focused on spotting compromise of software dependencies and development tools. The business issue is supply-c...

MobileDET0704Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0704 is a mobile ATT&CK detection strategy focused on spotting compromise of software dependencies and development tools. The business issue is supply-chain trust: mobile apps may inherit risk from third-party code or build components before the final product reaches users. For leaders, this matters because a weakness in dependency governance or build integrity can create downstream exposure that normal endpoint or app monitoring may not see until after release.

Executive priority

Treat this as a software supply-chain and mobile application assurance priority rather than only a SOC alerting problem. Security leaders should ask whether mobile development teams can prove what dependencies and tools were used, whether changes to those components are reviewed, and whether incident responders can trace a suspicious mobile app behavior back to a dependency or build process. This supports resilience, audit evidence, and risk-based prioritization for mobile applications on Android and iOS, as identified through the related ATT&CK technique.

Technical view

The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it detects T1474.001, Compromise Software Dependencies and Development Tools, in the mobile domain. SOC, detection engineering, and IR teams should validate visibility across the mobile software delivery lifecycle: dependency inventories, build tool changes, package or library updates, code repository activity, build pipeline logs, application signing records, and release artifacts. Detection should focus on unexpected or unauthorized changes to dependencies, development tools, or delivery mechanisms that could introduce malicious code into Android or iOS applications.

Likely telemetry

  • Software bill of materials or dependency inventory records for mobile applications
  • Source code repository commit, merge, and review logs
  • Build pipeline and continuous integration logs
  • Development tool configuration and version change records
  • Package manager or dependency update logs

Detection direction

  • Confirm whether dependency and build-tool changes are logged with enough detail to support investigation, not just compliance inventory.
  • Baseline expected dependency versions, maintainers, build tools, and release artifacts for mobile applications, then review deviations.
  • Correlate repository, dependency, build, signing, and release events; isolated logs may miss supply-chain manipulation.
  • Tune for legitimate developer activity, routine dependency upgrades, and automated build changes to reduce false positives.
  • Use the relationship to T1474.001 as context: the concern is manipulation before receipt by the final consumer, so release provenance and pre-release controls are central.

Mitigation priorities

  • Maintain an accurate inventory of mobile application dependencies and development tools.
  • Require review and approval for dependency additions, version changes, and build tool modifications.
  • Preserve build, signing, and release evidence so IR teams can reconstruct provenance during an investigation.
  • Apply security assessment to third-party libraries and build outputs before release.
  • Align mobile development, SOC, incident response, and compliance teams on what evidence proves dependency and build integrity.
Analyst notes and limits

This take is based on the detection strategy object DET0704 and its relationship to T1474.001. Because the object does not include official detection guidance, the practical direction is inferred conservatively from the related technique description: adversaries may manipulate software dependencies or delivery mechanisms before the final consumer receives the application.

The ATT&CK object provides no official description, no official detection text, no tactics, and no platforms directly on the detection strategy. Android and iOS are included only because the related technique lists them. Local architecture, development workflow, repository tooling, and build pipeline evidence are required to determine actual coverage.

Official MITRE ATT&CK definition

Detection of Compromise Software Dependencies and Development Tools

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1474.001 Compromise Software Dependencies and Development Tools Sub-technique This object detects Compromise Software Dependencies and Development Tools.
Relationship explorer

All related ATT&CK context

detects · Technique T1474.001: Compromise Software Dependencies and Development Tools Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6f4825af0f029d3a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6f4825af0f02…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0704
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use