| ID | Name |
|---|---|
| T1430.001 | Remote Device Management Services |
| T1430.002 | Impersonate SS7 Nodes |
An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.[1]
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy |
If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. |
| M1011 | User Guidance |
Users should protect their account credentials and enable multi-factor authentication options when available. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0702 | Detection of Remote Device Management Services | AN1820 |
Defender observes anomalous access to remote device management or enterprise mobility management control planes followed by device-state queries, location requests, or management actions inconsistent with user role, historical behavior, or device ownership context. |
| AN1821 |
Defender observes anomalous authentication or session activity targeting remote device management services followed by device-tracking queries, device-state requests, or remote actions inconsistent with established user-device relationships or operational patterns. |