Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0720: Detection of Obfuscated Files or Information

DET0720 is a mobile ATT&CK detection strategy for identifying obfuscated files or information associated with T1406. The business issue is not the obfuscat...

MobileDET0720Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0720 is a mobile ATT&CK detection strategy for identifying obfuscated files or information associated with T1406. The business issue is not the obfuscation itself, but what it can hide: payloads, archived or encrypted content, encoded file portions, or traffic that makes malicious mobile activity harder to discover and analyze. For leaders, this is a coverage-validation topic: can the organization see enough from managed mobile devices, app analysis, network paths, and incident evidence to recognize suspicious obfuscation when it matters?

Executive priority

Prioritize this as a mobile defense and incident-readiness control question. Because the related technique applies to Android and iOS, security leaders should confirm whether mobile security monitoring, app vetting, network inspection, and IR workflows can produce evidence for suspicious encrypted, encoded, compressed, or otherwise obscured content. This supports resilience, audit defensibility, and triage decisions when mobile devices or mobile applications are in scope for business operations.

Technical view

The ATT&CK object provides no official detection logic or platform list for the detection strategy itself, but it is explicitly related as detecting T1406: Obfuscated Files or Information in the mobile domain. SOC and detection teams should treat DET0720 as a validation prompt: determine where obfuscated payloads or files could appear on Android and iOS, what telemetry exists to inspect or characterize them, and how analysts distinguish benign compression/encryption from suspicious concealment. Detection engineering should be tied to local mobile fleet controls, app assessment processes, network visibility, and incident collection procedures rather than assuming generic coverage.

Likely telemetry

  • Mobile device management or mobile security event records where available
  • Mobile application inventory and app vetting or sandbox analysis results
  • File metadata from mobile endpoints or collected forensic images, where legally and operationally available
  • Indicators of compressed, archived, encrypted, encoded, or otherwise abnormal file content
  • Network telemetry for mobile device or application traffic where inspection is permitted

Detection direction

  • Validate whether monitoring can identify suspicious use of encryption, encoding, compression, or archiving beyond normal application behavior.
  • Tune for context: many legitimate mobile applications use encryption, compression, and encoding, so detections need baselines, app reputation, source, destination, user/device context, and incident correlation.
  • Confirm whether mobile telemetry is actually collected for both Android and iOS environments in scope; the detection strategy object itself does not specify platforms, while the related technique does.
  • Assess blind spots created by unmanaged devices, limited mobile forensic access, privacy constraints, encrypted transport, and app sandboxing.
  • Use DET0720 as a coverage-mapping item against T1406 rather than as a complete analytic, because no official detection text is supplied.

Mitigation priorities

  • Start by defining which mobile devices, apps, and network paths are in monitoring scope and what evidence can be lawfully collected.
  • Strengthen mobile app review and approval processes to identify unusual obfuscation patterns before deployment or use.
  • Ensure incident response procedures can preserve and analyze relevant mobile files, payloads, and network evidence when obfuscation is suspected.
  • Apply mobile security controls and access policies to reduce reliance on unmanaged or low-visibility devices for sensitive business functions.
  • Document detection assumptions and telemetry gaps for compliance and risk owners, especially where encryption or privacy constraints limit inspection.
Analyst notes and limits

This take is based on the official ATT&CK detection strategy metadata and its relationship to T1406. The supplied object has no official description, detection text, tactics, or platforms. The related technique provides the substantive context: adversaries may encrypt, encode, compress, archive, or otherwise obfuscate payloads or files on mobile devices or in transit to evade discovery or analysis.

Coverage and detection feasibility depend heavily on the organization’s mobile management model, privacy/legal constraints, app analysis capability, and network visibility. This summary does not assert active exploitation, attribution, impact, or guaranteed detection. Local telemetry validation is required before using DET0720 as evidence of operational coverage.

Official MITRE ATT&CK definition

Detection of Obfuscated Files or Information

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1406 Obfuscated Files or Information This object detects Obfuscated Files or Information.
Relationship explorer

All related ATT&CK context

detects · Technique T1406: Obfuscated Files or Information Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6d82adc2c6ca759e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6d82adc2c6ca…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0720
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use