ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Detection of Impair Defenses

Technique Detected: Impair Defenses | T1629

ID: DET0687

Domains: Mobile

Analytics: AN1797

Version: 1.0

Created: 21 October 2025

Last Modified: 21 October 2025

Version Permalink

Live Version

Analytics

Android

AN1797

Application vetting can detect many techniques associated with impairing device defenses.^[1]
Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.

Log Sources

Data Component	Name	Channel
API Calls (DC0112)	Application Vetting	None
Process Termination (DC0033)	Process	None

References

Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.