TA0034: Impact
The adversary is trying to manipulate, interrupt, or destroy your devices and data.
The impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.
Analyst context for executives and security teams
Impact in the mobile ATT&CK domain represents adversary behavior intended to manipulate, interrupt, or destroy devices and data. For leaders, this matters because the business issue is not just compromise; it is loss of availability, user access, data integrity, or unexpected financial harm such as toll fraud. Treat this tactic as the point where a mobile security incident may become an operational, legal, customer-support, or continuity event.
Executive priority
Prioritize this tactic as an incident-readiness and resilience question: can the organization quickly determine whether mobile devices or mobile data have been disrupted, locked, destroyed, or abused for financial objectives? Security leaders should validate response playbooks, escalation paths, backup/recovery expectations, and evidence collection for mobile-impact scenarios. Because the ATT&CK object does not specify platforms or techniques here, budget and control decisions should be driven by the organization’s actual mobile estate, critical mobile workflows, and regulated data exposure.
Technical view
For SOC, detection engineering, and IR teams, this tactic should be used as a validation lens for mobile incident outcomes rather than as a single detection rule. Confirm whether telemetry can show device lockout, destructive changes to device data, abnormal service use consistent with financial abuse, and other availability or integrity failures. Since no official detection guidance or relationship context is supplied, teams should map local mobile device management, identity, application, endpoint, carrier/billing, and incident ticketing evidence to the specific impact scenarios that matter in their environment.
Likely telemetry
- Mobile device management and device compliance state changes
- Mobile security or endpoint alerts where deployed
- Authentication and account access logs tied to mobile users
- Mobile application logs for critical business apps
- Backup, restore, wipe, lock, or reset events where available
Detection direction
- Validate that monitoring can distinguish security-relevant mobile disruption from normal user activity, administrative actions, device loss, or support-driven resets.
- Tune detections around high-consequence outcomes such as device lockout, data destruction, unauthorized wipe-like behavior, or abnormal mobile service usage, using local baselines.
- Correlate mobile telemetry with identity and support records so analysts can separate account compromise, device compromise, misconfiguration, and user error.
- Identify blind spots where mobile devices are unmanaged, personal, intermittently connected, or not covered by centralized logging.
- Because MITRE provides no detection text for this tactic object, derive detection logic from mapped techniques and local mobile risk scenarios rather than relying on this tactic alone.
Mitigation priorities
- Define and test mobile-impact incident playbooks, including escalation to IT, security, legal, privacy, finance, and business owners where appropriate.
- Maintain accurate mobile asset ownership and criticality so disrupted devices can be prioritized during response.
- Ensure recovery options exist for important mobile data and business workflows, including documented restore or replacement processes.
- Review access management and administrative controls that could enable device lockout, wipe, destructive changes, or abusive service usage if misused.
- Use mobile management, security monitoring, and billing/service controls appropriate to the organization’s mobile estate, then validate that logs are retained for investigation.
Analyst notes and limits
This is a mobile ATT&CK tactic object, not a specific technique. The supplied ATT&CK fields describe adversary intent and examples such as toll fraud, destruction of device data, and locking a user out of a device for ransom, but no platforms, detections, relationships, or procedure examples were supplied. Use it to structure risk conversations and coverage validation, then pivot to specific techniques and local telemetry for actionable detections.
The source object is sparse: platforms are not specified, official detection is not provided, and no relationship context was supplied. This take therefore avoids claims about active exploitation, attribution, specific tools, guaranteed detection, or environmental exposure. Local architecture, device ownership model, logging, and mobile management coverage are required to assess actual risk and control maturity.
Impact
The adversary is trying to manipulate, interrupt, or destroy your devices and data.
The impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5ede06dfe173… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack TA0034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.