Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0705: Detection of Input Capture

This detection strategy matters because it points defenders at mobile input-capture behavior: attempts to collect credentials or other sensitive user-enter...

MobileDET0705Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it points defenders at mobile input-capture behavior: attempts to collect credentials or other sensitive user-entered data on Android and iOS. For leaders, the value is not that DET0705 provides a ready-made rule—it does not include official detection logic—but that it identifies a business-critical question: can the organization see and investigate mobile behaviors that may expose credentials, authentication prompts, or sensitive workflows?

Executive priority

Treat this as an identity and mobile-risk validation item. If employees use mobile devices for email, SaaS, privileged access, MFA, or regulated workflows, input capture can turn a device compromise into credential theft and downstream account risk. Executives should ask whether mobile telemetry, device management controls, incident response playbooks, and compliance evidence are sufficient to investigate suspected credential capture on Android and iOS. Prioritization should focus on high-risk user groups and mobile access paths rather than assuming ATT&CK provides complete detection coverage here.

Technical view

DET0705 is a mobile ATT&CK detection strategy that detects technique T1417, Input Capture. The supplied object has no official description, no official detection text, no tactics, and no platforms of its own; the related technique context identifies Android and iOS. SOC and detection teams should therefore use this as a coverage-mapping prompt: confirm which mobile security, endpoint, identity, and application logs could show suspicious input-capture-related behavior, then correlate those signals with authentication events and user-reported prompts. IR teams should ensure mobile-device triage procedures can preserve relevant app, device-management, and authentication evidence when credential capture is suspected.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory, compliance, and security events
  • Mobile threat defense or mobile endpoint security alerts, where deployed
  • Application installation, permission, configuration, and profile-change records for Android and iOS devices
  • Identity-provider authentication logs, including unusual sign-ins following mobile activity
  • User reports or helpdesk tickets describing suspicious login prompts, overlays, or unexpected credential requests

Detection direction

  • Map DET0705 to T1417 Input Capture and validate whether Android and iOS evidence sources are actually available for managed and unmanaged device populations.
  • Do not treat DET0705 as a deployable analytic by itself; the official object provides no detection logic or detection text.
  • Tune investigations around correlation: suspicious mobile app/device events plus authentication anomalies or user reports are more decision-useful than isolated mobile alerts.
  • Identify blind spots such as personal/BYOD devices, limited iOS visibility, unmanaged apps, missing mobile threat defense coverage, and identity logs that are not linked back to device context.
  • Account for false positives from legitimate accessibility features, enterprise apps, password managers, SSO prompts, and approved device-management actions; require context before escalation.

Mitigation priorities

  • Start with asset and access scoping: identify mobile devices and user groups that access sensitive systems or credentials.
  • Ensure mobile device management and security tooling can enforce baseline controls, collect investigation evidence, and support response actions for Android and iOS where in scope.
  • Strengthen identity controls around mobile access, including conditional access, MFA resilience, and rapid credential/session revocation processes when input capture is suspected.
  • Review app installation, permission, and configuration governance for managed devices, especially for users with privileged or high-value access.
  • Prepare incident response procedures for mobile credential-compromise scenarios, including device isolation, evidence preservation, password/session reset, and identity monitoring.
Analyst notes and limits

The key decision value is coverage validation. DET0705 is an ATT&CK detection strategy for mobile Input Capture, but the supplied STIX fields do not provide an official analytic, data-source list, or platform field on the strategy itself. The only platform context comes from the related T1417 technique, which lists Android and iOS.

This take is constrained to the supplied ATT&CK fields and relationship context. Because the official description and detection fields are not provided, no specific detection rule, data component, adversary behavior chain, or guaranteed coverage should be inferred. Local device-management architecture, BYOD policy, identity logging, and mobile security tooling determine practical detectability.

Official MITRE ATT&CK definition

Detection of Input Capture

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1417 Input Capture This object detects Input Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1417: Input Capture Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5da7262b649efc1b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5da7262b649e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0705
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use