Skip to content

DET0676 Detection of GUI Input Capture

Item Value
ID DET0676
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1417.002 (GUI Input Capture)

Analytics

Android

AN1778

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

Log Sources
Data Component Name Channel
System Settings (DC0118) User Interface None
Permissions Requests (DC0114) Application Vetting None
Mutable Elements
Field Description

iOS

AN1779

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

Log Sources
Data Component Name Channel
System Settings (DC0118) User Interface None
Permissions Requests (DC0114) Application Vetting None
Mutable Elements
Field Description