Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0607: Detection of Unix Shell

DET0607 is a MITRE ATT&CK mobile detection strategy for detecting Unix shell behavior associated with technique T1623.001, Unix Shell, on Android and iOS....

MobileDET0607Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0607 is a MITRE ATT&CK mobile detection strategy for detecting Unix shell behavior associated with technique T1623.001, Unix Shell, on Android and iOS. The business significance is that shell access can give an operator or malicious code broad command execution capability on a mobile device, especially where rooting or jailbreaking enables elevated commands. For leaders, the key question is not whether this ATT&CK object provides a finished analytic; it does not. The value is in using it as a prompt to verify whether mobile security monitoring, incident response, and device compliance processes can identify suspicious shell command and script activity where mobile devices are in scope.

Executive priority

Treat this as a mobile security readiness and compliance-evidence gap check. Because the official detection strategy has no ATT&CK-provided detection text, teams should not assume coverage from ATT&CK alone. Prioritize confirming whether managed mobile devices, high-risk users, regulated workflows, or operationally sensitive mobile use cases have enough telemetry to investigate Unix shell execution, rooted or jailbroken device conditions, and related command/script activity. This matters for incident decision-making because shell activity may indicate hands-on-device control, unauthorized automation, or misuse of elevated device capability.

Technical view

SOC, detection engineering, and IR teams should validate coverage against the related mobile technique T1623.001, Unix Shell. The related technique states that Unix shells are available on Android and iOS and can execute commands and scripts, with some commands requiring elevated privileges available on rooted or jailbroken devices. Since DET0607 does not include official detection logic, platforms, tactics, or analytic details, teams should build local validation around observed shell process or command execution evidence, script execution indicators, mobile device integrity state, and administrative or EDR/MDM logs where available. Coverage should be tested separately for Android and iOS because telemetry depth and management controls commonly differ by platform and enrollment model.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance state
  • Mobile threat defense or endpoint security alerts for Android and iOS where deployed
  • Device integrity signals, including rooted or jailbroken status where available
  • Process, command execution, or shell invocation telemetry where the mobile security stack can collect it
  • Script or sequential command execution evidence where observable

Detection direction

  • Do not treat DET0607 as a ready-to-deploy analytic; the official object provides no detection text.
  • Map detection requirements to T1623.001 behavior: Unix shell command execution, shell scripts, and commands requiring elevated privileges on rooted or jailbroken devices.
  • Validate whether Android and iOS telemetry actually exposes shell invocation or only indirect signals such as device integrity changes, security product alerts, or anomalous application behavior.
  • Tune for administrative, developer, testing, or support use cases that may legitimately generate shell-like activity, especially on test devices.
  • Use relationship context to prioritize mobile devices where shell access would materially affect business operations, regulated data, executive communications, or cyber-physical workflows.

Mitigation priorities

  • Start with asset and enrollment clarity: identify which Android and iOS devices are managed, monitored, or outside visibility.
  • Enforce mobile device compliance baselines that can flag or restrict rooted and jailbroken devices where business policy permits.
  • Ensure mobile security, MDM, or incident response tooling can provide evidence needed to investigate shell command or script activity.
  • Define escalation criteria for suspicious shell behavior, especially when paired with rooted or jailbroken status or access to sensitive business applications.
  • Use tabletop or validation exercises to confirm SOC and IR teams can collect mobile evidence quickly without relying on unsupported ATT&CK-provided detection logic.
Analyst notes and limits

The ATT&CK object is a detection strategy in the mobile domain with external ID DET0607 and a relationship indicating it detects T1623.001, Unix Shell. The related technique provides the main behavioral context: adversaries may abuse Unix shell commands and scripts for execution on Android and iOS, and elevated shell commands may require rooted or jailbroken devices. Because the strategy itself lacks an official description, detection text, platforms, and tactics, this take focuses on practical validation and governance rather than specific analytics.

This assessment is constrained to the supplied STIX fields, the MITRE external reference, and the relationship to T1623.001. No active exploitation, threat actor attribution, detection efficacy, or specific telemetry availability is implied. Local mobile management model, device ownership policy, platform restrictions, privacy requirements, and security tooling determine whether meaningful detection is possible.

Official MITRE ATT&CK definition

Detection of Unix Shell

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1623.001 Unix Shell Sub-technique This object detects Unix Shell.
Relationship explorer

All related ATT&CK context

detects · Technique T1623.001: Unix Shell Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4f90b78d7a46cdba...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4f90b78d7a46…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0607
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use