Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0713: Detection of Data from Local System

DET0713 is a MITRE ATT&CK mobile detection strategy for identifying behavior related to Data from Local System (T1533). The business issue is not just file...

MobileDET0713Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0713 is a MITRE ATT&CK mobile detection strategy for identifying behavior related to Data from Local System (T1533). The business issue is not just file access: on Android and iOS, sensitive local data such as authentication tokens, keyboard cache contents, Wi‑Fi passwords, photos, or local database records can become staging material before exfiltration. Because the ATT&CK object provides no official detection logic, teams should treat this as a coverage-validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this where mobile devices store or can access regulated data, identity material, executive communications, operational photos, or network credentials. Leaders should ask whether mobile security, MDM/UEM, identity, and incident response teams can prove they would see suspicious local data access, privilege escalation prerequisites, and movement of sensitive files before exfiltration. This matters for audit evidence, mobile incident triage, and resilience planning because loss of local device data can create downstream identity, privacy, and operational risk.

Technical view

SOC and detection engineering teams should validate telemetry for Android and iOS endpoints associated with T1533: access to local file systems, local databases, external storage on Android, protected OS data, photos, cached keyboard data, Wi‑Fi credential stores, and authentication token locations where visible to approved tooling. Because the detection strategy has no official detection text or platform list, detections should be built from locally available mobile EDR, MDM/UEM, OS security, application, and identity telemetry, with attention to whether escalated privileges or abnormal app permissions precede access to sensitive local sources.

Likely telemetry

  • Mobile EDR or mobile threat defense events for file, database, media, and protected storage access
  • MDM/UEM inventory, compliance, jailbreak/root, app permission, and device posture signals
  • Android external storage and application sandbox access events where available
  • iOS managed app, profile, device compliance, and security posture events where available
  • Application logs for access to local databases, cached content, tokens, photos, or sensitive files

Detection direction

  • Start by mapping which sensitive local data types exist on managed Android and iOS devices and which tools can observe access to them.
  • Tune for abnormal access patterns by app, user, device posture, time, data type, and permission level rather than raw file access alone, which can be noisy on mobile systems.
  • Correlate local data access with device compromise indicators such as root/jailbreak status, elevated privileges, risky app installation, or unusual permission changes.
  • Use relationship context to T1533: focus on local system sources and sensitive data that may be collected before exfiltration, not only network transfer events.
  • Validate blind spots created by unmanaged/BYOD devices, limited mobile OS visibility, encrypted app containers, privacy restrictions, and missing mobile EDR/MDM coverage.

Mitigation priorities

  • Inventory managed mobile platforms, ownership models, and sensitive local data stores before defining detection coverage.
  • Enforce mobile device management, device compliance, and application control policies for devices accessing enterprise data.
  • Restrict app permissions and access to sensitive local resources according to business need.
  • Monitor and respond to root, jailbreak, risky app, and device posture failures because protected local data access may require elevated privileges.
  • Reduce local storage of sensitive tokens, credentials, photos, and regulated data where business workflows allow.
Analyst notes and limits

The supplied ATT&CK detection strategy object is sparse: it has no official description, no official detection text, no tactics, and no platforms listed on the detection strategy itself. The only substantive context is its relationship to mobile technique T1533, Data from Local System, whose related platforms are Android and iOS and whose description identifies local files, databases, authentication tokens, keyboard cache, Wi‑Fi passwords, photos, Android external storage, and possible need for escalated privileges.

This take does not assert active exploitation, actor use, business impact, or existing detection coverage. Practical detection depends heavily on the organization’s mobile management model, OS versions, enrolled tooling, privacy constraints, app architecture, and whether Android/iOS telemetry is centrally collected and retained.

Official MITRE ATT&CK definition

Detection of Data from Local System

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1533 Data from Local System This object detects Data from Local System.
Relationship explorer

All related ATT&CK context

detects · Technique T1533: Data from Local System Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
35a7be6e941aedb5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 35a7be6e941a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0713
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use