M1059: Do Not Mitigate
This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.
Analyst context for executives and security teams
M1059 is a governance warning, not a control to deploy: MITRE uses “Do Not Mitigate” where a proposed mitigation may increase compromise risk and is therefore not recommended. In the supplied relationship, this applies to the Android mobile technique “Conceal Multimedia Files,” where adversaries may hide captured pictures, videos, or screenshots from the user, including through folders containing a .nomedia file.
Executive priority
Treat this as a risk decision point for mobile security programs. Leadership should not assume every ATT&CK mitigation entry means “implement a fix.” For this behavior, the priority is to document why direct mitigation is not recommended, confirm whether Android mobile telemetry and incident response procedures can still identify concealed multimedia, and ensure compliance or audit evidence reflects a deliberate control decision rather than a coverage gap.
Technical view
SOC, mobile security, and IR teams should validate visibility around the related Android technique rather than applying an unsupported preventive mitigation. ATT&CK provides no detection text for M1059, so teams should base coverage validation on the related behavior: folders or application storage where multimedia may be hidden from normal Gallery visibility through .nomedia behavior, and cases where concealed media could represent captured files awaiting exfiltration.
Likely telemetry
- Android device file-system or application storage metadata where available
- Presence or changes involving .nomedia files in folders containing multimedia
- Mobile security/MDM/EDR inventory and investigation data for installed applications and app storage access
- User or IR reports of missing, hidden, or unexpected multimedia artifacts
- Forensic acquisition data from Android devices during incident response
Detection direction
- Do not measure success by whether M1059 is 'implemented'; measure whether the organization can detect or investigate the related concealment behavior on Android devices.
- Validate whether mobile tooling can see relevant file-system artifacts, including .nomedia indicators, rather than relying on what the user can see in the Gallery application.
- Tune triage to account for benign .nomedia use, since the relationship indicates the file can affect media scanning behavior but does not by itself prove malicious activity.
- Use relationship context: concealed multimedia is most material when paired with evidence of captured pictures, videos, screenshots, or later exfiltration activity; those additional facts require local telemetry not provided in the ATT&CK object.
Mitigation priorities
- Record M1059 as a 'do not mitigate' decision where direct mitigation could increase risk, rather than forcing a preventive control without ATT&CK support.
- Shift effort to detection readiness, mobile forensic procedures, and incident response playbooks for the related Android concealment behavior.
- Confirm policy and tooling coverage for corporate or managed Android devices before making compliance claims.
- Where visibility is limited, document the residual risk and compensating investigation process instead of asserting prevention.
Analyst notes and limits
This object is sparse by design. It is a mitigation category that says mitigation is not recommended, and its only supplied relationship is to the Android mobile technique T1628.003, Conceal Multimedia Files. The practical value is in preventing a control misstep and ensuring teams have detection and response coverage for the related behavior.
ATT&CK provides no detection text, tactics, platforms, aliases, or labels for M1059 itself. Android platform context comes only from the related technique. Local device management, logging, forensic access, and privacy constraints will determine what evidence can actually be collected.
Do Not Mitigate
This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1628.003 | Conceal Multimedia Files Sub-technique | Conceal Multimedia Files likely should not be mitigated with preventative controls because the `.nomedia` file may be used legitimately. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eab50e486398… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1059Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.