Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0710: Detection of Disguise Root/Jailbreak Indicators

DET0710 is a mobile detection strategy for finding attempts to disguise root or jailbreak indicators. The business issue is not the presence of a single ar...

MobileDET0710Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0710 is a mobile detection strategy for finding attempts to disguise root or jailbreak indicators. The business issue is not the presence of a single artifact; it is whether mobile security, compliance, and incident response decisions depend on checks that an adversary can bypass by renaming, hiding, or varying indicators. For leaders, this matters where mobile devices are trusted for corporate access, regulated data, or operational workflows.

Executive priority

Prioritize this as a validation question for mobile security assurance: are root/jailbreak conclusions based on resilient evidence or brittle signatures? If mobile device posture influences access decisions, audit evidence, or incident triage, security leaders should ask whether controls account for evasion of common artifacts such as renamed binaries or polymorphic code. The object has sparse official detail, so priority should be driven by local reliance on Android and iOS device integrity signals.

Technical view

This detection strategy detects technique T1630.003, Disguise Root/Jailbreak Indicators, in the mobile domain. SOC, mobile security, and IR teams should validate whether their detection logic depends only on static artifact names or signatures, such as looking for a known 'su' binary path/name, and whether it can identify suspicious device-compromise evidence when indicators are renamed or varied. Because the ATT&CK object does not provide official detection text or tactics, teams should map this to their own mobile telemetry, MDM/UEM posture checks, mobile threat defense findings, endpoint/mobile app telemetry, and incident review procedures for Android and iOS.

Likely telemetry

  • Mobile device posture or compliance assessment results for Android and iOS
  • Mobile security product detections related to root or jailbreak status
  • File or artifact inspection results where available, including checks for privileged binaries or jailbreak/root-related components
  • Application integrity, code-signing, or signature-based detection results where available
  • MDM/UEM inventory, enrollment, compliance, and policy enforcement events

Detection direction

  • Test whether root/jailbreak detection relies on single artifact names, fixed paths, or static signatures that could be evaded by renaming or polymorphism.
  • Correlate multiple evidence classes instead of treating absence of a known indicator as proof that the device is uncompromised.
  • Tune triage to handle false positives from legitimate administrative, testing, developer, or previously remediated devices where applicable.
  • Review alert suppression and compliance logic to ensure a device is not automatically trusted solely because common root/jailbreak indicators are missing.
  • Use the relationship to T1630.003 as context for detection validation; the supplied object does not include official ATT&CK detection analytics.

Mitigation priorities

  • Inventory where Android and iOS root/jailbreak status affects access, compliance, or incident decisions.
  • Reduce dependence on brittle indicator-only checks by requiring layered mobile posture evidence where supported by existing tools.
  • Ensure mobile access policies have a response path for uncertain or conflicting device integrity signals, such as step-up review, restricted access, or IR escalation.
  • Maintain audit-ready documentation describing what mobile integrity signals are collected, how they are validated, and known limitations.
  • Periodically test mobile detection assumptions against renamed or varied indicators in an authorized lab environment, without using results as proof of complete coverage.
Analyst notes and limits

The key defensive lesson is coverage assurance: root/jailbreak detection can be materially weakened when products or processes look only for predictable artifacts. This is most relevant to organizations that use mobile device integrity as a gate for corporate access or compliance reporting. Relationship context supplies Android and iOS platforms through T1630.003; the detection strategy object itself does not specify platforms, tactics, description, or detection logic.

The official object provides no description, no detection text, no tactics, and no direct platform field. This take is therefore limited to the external reference and the relationship stating that DET0710 detects T1630.003, whose supplied description notes evasion of security checks such as renaming a 'su' binary and polymorphic techniques against signature-based detection. Local telemetry and tool capabilities are required to determine actual coverage.

Official MITRE ATT&CK definition

Detection of Disguise Root/Jailbreak Indicators

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1630.003 Disguise Root/Jailbreak Indicators Sub-technique This object detects Disguise Root/Jailbreak Indicators.
Relationship explorer

All related ATT&CK context

detects · Technique T1630.003: Disguise Root/Jailbreak Indicators Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
46c02adb4fdca359...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 46c02adb4fdc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0710
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use