Skip to content

DET0671 Detection of Data Destruction

Item Value
ID DET0671
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1662 (Data Destruction)

Analytics

Android

AN1769

The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.
The user is prompted for approval when an application requests device administrator permissions. Application vetting services may detect API calls for deleting files.
Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

Log Sources
Data Component Name Channel
System Settings (DC0118) User Interface None
Command Execution (DC0064) Command None
Permissions Request (DC0116) User Interface None
API Calls (DC0112) Application Vetting None
Permissions Requests (DC0114) Application Vetting None
Mutable Elements
Field Description