Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0918: Detection of Audio-Visual Content

This detection strategy is tied to adversary creation or manipulation of audio, image, and video content used during resource development, such as fabricat...

EnterpriseDET0918Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to adversary creation or manipulation of audio, image, and video content used during resource development, such as fabricated personas, altered media, synthetic voice, or impersonation material. For leaders, the practical issue is not a single endpoint alert; it is whether the organization can recognize untrusted or manipulated media before it influences targeting, identity proofing, executive communications, recruiting, fraud response, or incident decision-making.

Executive priority

Prioritize this as a readiness and governance question where business processes depend on trusted audio-visual evidence or live interactions. Executives should ask which workflows accept voice, video, profile photos, identity documents, or media artifacts as proof, and whether SOC, fraud, identity, legal, and communications teams have evidence standards for challenging suspicious content. Because ATT&CK provides no official detection text for DET0918, budget and control decisions should be based on local exposure: identity verification, executive impersonation risk, third-party onboarding, public-facing brand abuse, and incident response escalation paths.

Technical view

DET0918 detects T1683.002, Audio-Visual Content, under resource development on the PRE platform. SOC and detection teams should treat this as a pre-compromise or pre-operational signal rather than conventional host telemetry. Validate whether existing monitoring can preserve and review suspicious media artifacts, associated accounts, submission context, sender infrastructure, timestamps, and workflow decisions. IR teams should define how to handle suspected manipulated media during investigations, including evidence retention, cross-team escalation, and corroboration with independent identity or communication channels.

Likely telemetry

  • Submitted or received audio, image, video, profile photo, or identity document artifacts where business workflows collect them
  • Metadata and audit logs from identity verification, onboarding, recruiting, customer support, fraud, or executive communication workflows
  • Account, sender, submission, and communication context associated with suspicious media
  • Case management records documenting analyst review, escalation, and disposition of suspected manipulated content
  • Threat intelligence or brand monitoring leads that reference fabricated personas or impersonation media

Detection direction

  • Map where audio-visual content is accepted as evidence or used to make trust decisions, then confirm whether those workflows generate reviewable logs and preserve artifacts.
  • Tune detection around context and process anomalies rather than assuming media analysis alone will be decisive, since the ATT&CK object provides no official detection logic.
  • Correlate suspicious media with account age, submission source, claimed identity, communication channel, and prior interactions where those data are available.
  • Account for false positives: legitimate edited media, compressed files, accessibility tools, marketing assets, and benign virtual backgrounds or altered audio/video may resemble suspicious content without malicious intent.
  • Use the relationship to T1683.002 to frame coverage as resource-development detection, not endpoint compromise detection.

Mitigation priorities

  • Identify business processes where audio, image, or video content materially affects trust, access, payments, hiring, customer support, or executive decisions.
  • Require independent verification paths for high-risk requests involving audio-visual proof, especially where impersonation could affect operations or finances.
  • Define retention, escalation, and review procedures for suspicious media artifacts so SOC, fraud, identity, legal, and IR teams can coordinate.
  • Document evidence requirements for audits and incident reviews, including what logs, artifacts, and decisions are retained.
  • Review third-party and outsourced workflows that process identity documents, profile media, or live video interactions, because coverage may depend on their logging and escalation capabilities.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no specified platforms or tactics. Its main decision value comes from its relationship to T1683.002 Audio-Visual Content, which describes creation or manipulation of audio, image, and video material to support targeting and malicious operations.

This take is constrained to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, attribution, specific tooling, guaranteed detection, or enterprise platform coverage. Local workflow design, media retention, logging, and identity verification processes are required to determine practical coverage.

Official MITRE ATT&CK definition

Detection of Audio-Visual Content

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1683.002 Audio-Visual Content Sub-technique This object detects Audio-Visual Content.
Relationship explorer

All related ATT&CK context

detects · Technique T1683.002: Audio-Visual Content Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3c7020de5ed9af41...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3c7020de5ed9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0918
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use