Correlates anomalous modifications to boot-time or logon-time initialization artifacts (for example, init.rc, vendor init scripts, app_process or shell hijacks, and malicious BOOT_COMPLETED BroadcastReceivers) with subsequent unauthorized script execution after boot. From the defender’s perspective this appears as integrity or attestation failures on the system partition, unexpected writes to protected init paths, new apps registering for boot events, and privileged processes invoking scripts or binaries from non-standard locations shortly after the device boots.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | AndroidAttestation:VerifiedBoot | Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure |
| AndroidAttestation:SafetyNet | SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false | |
| OEMAttestation:Knox | Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set | |
| File Modification (DC0061) | AndroidLogs:FileSystem | Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts |
| File Metadata (DC0059) | AndroidLogs:Framework | BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps |
| Process Creation (DC0032) | AndroidLogs:Kernel | init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between boot/attestation event and suspicious script execution (for example, 0–10 minutes after BOOT_COMPLETED). |
| AuthorizedBootReceivers | Enterprise-specific allow list of packages expected to register BOOT_COMPLETED receivers. |
| ProtectedPaths | OEM- and ROM-specific list of system and vendor init script locations that should be immutable in production devices. |
| ExpectedAttestationState | Expected Verified Boot, SafetyNet, and OEM attestation states for enrolled devices. Custom ROM or dev devices may need relaxed thresholds. |
| IntegrityFailureThreshold | Number or rate of attestation failures before escalating to a high-severity incident. |
Correlates unauthorized alterations to launchd configuration (LaunchDaemons/LaunchAgents plists), background execution entitlements, or sideloaded app containers with suspicious auto-start behavior during device boot or user unlock. From the defender’s view this shows up as new or modified plist files in launchd directories, launchd starting binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/unlock.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | iOS:unifiedlog | Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents |
| Process Creation (DC0032) | iOS:unifiedlog | launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock |
| Application Assets (DC0119) | iOS:unifiedlog | Application gaining or using unexpected background execution entitlements or modes |
| Field | Description |
|---|---|
| JailbreakIndicators | List of filesystem paths or process names that identify intentionally jailbroken lab devices and should be handled differently. |
| LaunchdWhitelist | Organization-specific list of allowed launchd job labels and binary paths. |
| AllowedBackgroundModes | Per-app allow list for background execution modes (for example, VOIP, location) to reduce noise. |
| BootUnlockWindow | Time window after boot or unlock within which unexpected launchd auto-starts are considered high risk. |