Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0707: Detection of Scheduled Task/Job

DET0707 is a mobile ATT&CK detection strategy for identifying abuse of scheduled task or job functionality, as related to T1603 Scheduled Task/Job. The bus...

MobileDET0707Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0707 is a mobile ATT&CK detection strategy for identifying abuse of scheduled task or job functionality, as related to T1603 Scheduled Task/Job. The business significance is persistence and recurring execution: if a malicious mobile app or component can schedule code to run later or repeatedly, an incident may continue even after obvious user activity stops. For leaders, the key question is whether mobile security monitoring can show when Android or iOS task scheduling behavior is expected, suspicious, or tied to an incident timeline.

Executive priority

Prioritize this as a mobile resilience and incident-readiness issue where Android or iOS devices are in scope for enterprise access, regulated workflows, or operational processes. Ask whether mobile telemetry, MDM/UEM records, application vetting, and incident response procedures can support evidence-based decisions about suspicious recurring execution. Because the ATT&CK object provides no official detection logic, this should be treated as a validation gap to close rather than as a ready-made detection rule.

Technical view

The supplied relationship says this strategy detects T1603 Scheduled Task/Job in the mobile domain, with related platforms Android and iOS. For defenders, validation should focus on whether mobile monitoring can observe or infer scheduled execution behavior, especially Android scheduling mechanisms referenced in the related technique context such as WorkManager and its underlying use of JobScheduler, GcmNetworkManager, and AlarmManager. SOC and IR teams should map which mobile apps are authorized to schedule background work, what normal recurring activity looks like, and whether suspicious scheduled jobs can be correlated with app install time, permissions, network activity, alerts, and user reports.

Likely telemetry

  • Mobile device management or unified endpoint management inventory and compliance records
  • Mobile threat defense or mobile EDR alerts and behavioral events
  • Android application, permission, package, and background execution indicators where available
  • iOS application inventory and device compliance indicators where available
  • App installation, update, and removal timestamps

Detection direction

  • Validate whether the organization can observe scheduled or recurring mobile background execution at all; the ATT&CK object does not provide official detection text.
  • Use relationship context to focus detection engineering on T1603 Scheduled Task/Job behavior rather than only on app presence or static reputation.
  • Baseline approved enterprise mobile apps that legitimately schedule background work to reduce false positives.
  • Correlate suspected scheduled execution with app install time, permission changes, device compliance changes, suspicious network activity, and other mobile security alerts.
  • Account for platform blind spots: mobile OS restrictions, privacy controls, unmanaged devices, and limited forensic access may prevent direct visibility into scheduled jobs.

Mitigation priorities

  • Define which Android and iOS devices are in scope for enterprise monitoring and incident response.
  • Ensure mobile app governance and application allowlisting or approval processes cover apps that perform background or scheduled work.
  • Configure MDM/UEM and mobile security tooling to retain enough device, app, compliance, and alert history to support incident timelines.
  • Document IR procedures for preserving mobile evidence and deciding when device isolation, app removal, or device reset is required.
  • Review compliance evidence requirements for managed mobile devices that access sensitive business systems.
Analyst notes and limits

This take is based on the DET0707 detection strategy object and its relationship to T1603 Scheduled Task/Job. The most useful defensive value is not a specific rule from MITRE, but a coverage assessment: can the organization identify suspicious scheduled or recurring execution on managed mobile platforms and use that evidence during response?

The supplied DET0707 object has no official description, no official detection text, no tactics, and no platforms of its own. Platform references come only from the related T1603 technique context, which lists Android and iOS. Local telemetry availability, privacy constraints, mobile management coverage, and tool capabilities must be verified before assuming detection or response coverage.

Official MITRE ATT&CK definition

Detection of Scheduled Task/Job

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1603 Scheduled Task/Job This object detects Scheduled Task/Job.
Relationship explorer

All related ATT&CK context

detects · Technique T1603: Scheduled Task/Job Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b8b520296490858b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b8b520296490…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0707
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use