Defender observes an app/package attempting to enumerate running processes by triggering restricted process visibility mechanisms (e.g., repeated queries for running tasks/services, rapid iteration over process identifiers, or access attempts against /proc entries) that are atypical for its declared function and occur without an associated user-facing diagnostic workflow. The detection relies on correlating (1) OS/API calls or shell/system utility execution indicative of process listing or /proc traversal, (2) app privilege context (root, debug build, device owner/profile owner, accessibility/IME status), (3) background execution state, and (4) optional follow-on behaviors consistent with automated discovery (short bursts of local IPC probes, network beacons immediately after enumeration, or rapid targeting of specific high-value package/process names). The analytic should describe what is observable: repeated enumeration signals + privilege context + timing relationship, not the adversary’s intent.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection) |
| Process Creation (DC0032) | android:logcat | unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID |
| File Access (DC0055) | auditd:SYSCALL | attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window for enumeration → follow-on activity (e.g., 60–600s). |
| MinEnumerationSignals | Minimum count of process enumeration indicators to alert (tune by OS build and telemetry quality). |
| ProcTraversalThreshold | How many distinct /proc paths opened within the window counts as enumeration (e.g., ≥50). |
| BackgroundOnly | If true, require background state to reduce legitimate in-app diagnostics noise. |
| AllowlistedPackages | Legitimate security/diagnostic/MDM agents expected to inspect processes. |
| HighValueProcessNames | Process/package names of interest (e.g., security agents, banking apps) used only as enrichment, not a signature. |
| NetworkProbePorts | Ports considered a ‘probe/beacon’ after enumeration (53/80/443/etc.). |
| PrivilegeEscalationGate | If true, increase severity when enumeration co-occurs with root/debuggable/jailbreak-like posture. |
Defender observes signals consistent with attempted process listing on iOS where modern OS protections generally prevent broad process enumeration for non-root apps. Detections therefore focus on: (1) feasibility gating via integrity/jailbreak posture, and (2) observable security/log anomalies consistent with attempts to query process tables or restricted system interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private frameworks). Correlate integrity compromise indicators with repeated restricted-access events and optional follow-on behaviors (rapid targeting of specific bundles/services or immediate network beacons) to raise confidence that process discovery is occurring.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | MDM:DeviceIntegrity | jailbreak/root compromise indicators or integrity attestation failures enabling process visibility |
| Application Log Content (DC0038) | iOS:unifiedlog | repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts |
| iOS:unifiedlog | security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility) |
| Field | Description |
|---|---|
| IntegritySignalRequired | If true, alert only when integrity/jailbreak posture indicates process discovery is feasible. |
| MinSandboxDenials | Threshold for sandbox denials within a window to treat as sustained restricted-access attempts. |
| TimeWindowSeconds | Correlation window between integrity signals and sandbox/network events (e.g., 1–24 hours). |
| AllowlistedBundles | Enterprise monitoring/networking apps that may generate benign sandbox noise. |