Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0712: Detection of Compromise Client Software Binary

DET0712 is a mobile ATT&CK detection strategy for identifying signs that client or system software binaries have been modified. The business issue is trust...

MobileDET0712Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0712 is a mobile ATT&CK detection strategy for identifying signs that client or system software binaries have been modified. The business issue is trust: if a mobile device’s operating-system-level binaries are replaced or altered, normal-looking commands or services may execute attacker-controlled code and support persistence. Even though MITRE provides no detailed detection text for this object, its relationship to T1645 makes it relevant to mobile device integrity, incident response confidence, and compliance evidence for managed Android and iOS environments.

Executive priority

Treat this as a mobile device integrity and resilience question, not just a malware alert. Leaders should ask whether the organization can prove that managed mobile devices are running trusted system software, detect unauthorized binary changes, and make fast decisions about containment, re-enrollment, or rebuild. Priority is highest where mobile devices handle privileged business access, regulated data, operational workflows, or executive communications.

Technical view

The detection strategy has no official detection procedure or platform list, but it detects ATT&CK technique T1645, Compromise Client Software Binary, which is associated with Android and iOS. SOC, mobile security, and IR teams should validate whether they can compare critical system/client binaries against known-good baselines, identify unexpected hash/signature/permission changes, and correlate those findings with device compromise indicators such as jailbreak/root status, abnormal command execution through adb or terminal-like access, and mobile EDR or MDM compliance changes. Because routine system updates can legitimately change binaries, detection logic should be tied to approved OS versions and update windows.

Likely telemetry

  • MDM/EMM device inventory and compliance state
  • Mobile EDR or mobile threat defense integrity findings
  • Known-good binary hashes, signatures, versions, and file metadata for managed OS builds
  • Root or jailbreak detection results
  • System update and device enrollment history

Detection direction

  • Validate that mobile security tooling can distinguish approved OS or vendor updates from unauthorized binary modification.
  • Baseline critical system/client binaries by OS version, device model, and management profile before alerting on drift.
  • Correlate binary integrity changes with root/jailbreak indicators, unexpected privilege changes, or suspicious local command execution.
  • Tune for false positives caused by legitimate updates, device repairs, beta OS builds, or nonstandard managed images.
  • Confirm visibility gaps on unmanaged, personally owned, offline, or privacy-restricted devices, because lack of mobile telemetry may prevent meaningful detection.

Mitigation priorities

  • Prioritize strong mobile device management enrollment, compliance enforcement, and device attestation where available.
  • Maintain approved OS version baselines and require timely patching through managed update policies.
  • Restrict or flag rooted/jailbroken devices and devices that fail integrity checks from accessing sensitive business services.
  • Define IR playbooks for suspected binary compromise, including isolation, evidence preservation, credential risk review, and trusted re-provisioning or rebuild.
  • Use mobile access controls and identity policy to reduce business impact when device integrity cannot be verified.
Analyst notes and limits

This take is based on the DET0712 detection strategy metadata and its ATT&CK relationship to T1645, Compromise Client Software Binary. MITRE did not provide an official description or detection text for DET0712, so detection guidance is framed as validation direction rather than a prescribed analytic. Local mobile management architecture, device ownership model, OS versions, and privacy constraints will determine what telemetry is actually available.

The supplied detection strategy has no official description, no official detection content, no tactics, and no platforms of its own. Android and iOS are supported only through the related T1645 technique. No active exploitation, attribution, prevalence, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection of Compromise Client Software Binary

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1645 Compromise Client Software Binary This object detects Compromise Client Software Binary.
Relationship explorer

All related ATT&CK context

detects · Technique T1645: Compromise Client Software Binary Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
62cbbfabf3c54239...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 62cbbfabf3c5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0712
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use