The defender correlates app-driven shell or command execution setup with subsequent process creation, command invocation, or script-driven follow-on behavior under the same app context, especially when command execution occurs from background state, without recent user interaction, or immediately after payload retrieval or local staging. The analytic prioritizes Android-observable control-plane effects: Java Runtime or similar command-execution method use, shell or sh-like process creation, command parameter visibility where available, and immediate file or network effects produced by the interpreter.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | MobileEDR:telemetry | Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation |
| Command Execution (DC0064) | MobileEDR:telemetry | Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between command-launch method use, process creation, and follow-on file or network effects |
| AllowedAppList | Apps legitimately expected to run shell-like or administrative commands, such as enterprise support tools, terminal apps, approved EMM agents, or developer tooling |
| AllowedProcessPatterns | Expected command interpreters, process names, or parent-child execution chains for approved apps |
| ForegroundStateRequired | Whether command execution should occur only during active user-driven workflows |
| CommandArgumentRiskPatterns | Environment-specific list of suspicious command arguments, redirection usage, chaining operators, or shell-control syntax |
| PostExecutionWriteThreshold | Minimum number or size of file artifacts created after interpreter execution to increase confidence |
| UplinkBytesThreshold | Minimum outbound volume after command execution to treat network behavior as meaningful |
The defender correlates managed-app runtime behavior indicative of command or shell invocation with subsequent spawned process or shell-like execution effects, then raises confidence when the resulting activity produces local artifacts or network communication outside expected user context. Because direct shell-process visibility can be weaker on iOS in many enterprise deployments, the analytic anchors first on process-creation or lower-level OS API effects where mobile telemetry can observe them, then on lifecycle context and post-execution network or file behavior. Confidence is strongest when the same app shows command invocation followed by process execution and immediate follow-on effects.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | MobileEDR:telemetry | Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor |
| Command Execution (DC0064) | MobileEDR:telemetry | Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between command-execution indication, process effects, and follow-on file or network behavior |
| AllowedAppList | Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks |
| AllowedProcessPatterns | Expected process-launch or helper-execution patterns for approved managed apps |
| ForegroundStateRequired | Whether command-execution behavior should occur only during active user-driven workflows |
| ArtifactPathPatterns | Expected temporary or output file locations for approved app behavior |
| UplinkBytesThreshold | Minimum outbound volume after command execution to treat network behavior as meaningful |