1. Home
  2. Detection Strategies
  3. Detection of Boot or Logon Initialization Scripts

Detection of Boot or Logon Initialization Scripts

Technique Detected:  Boot or Logon Initialization Scripts | T1398

ID: DET0654
Domains: Mobile
Analytics: AN1739, AN1740
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1739

On Android, Verified Boot can detect unauthorized modifications to the system partition.[1] Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Log Sources
Data Component Name Channel
Host Status (DC0018) Sensor Health None

AN1740

On Android, Verified Boot can detect unauthorized modifications to the system partition.[1] Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Log Sources
Data Component Name Channel
Host Status (DC0018) Sensor Health None

References

  1. Android. (n.d.). Verified Boot. Retrieved December 21, 2016.