Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.

System Partition Integrity

Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.

ID: M1004

Version: 1.0

Created: 25 October 2017

Last Modified: 17 October 2018

Version Permalink

Live Version

Techniques Addressed by Mitigation

Domain	ID		Name	Use
Mobile	T1398		Boot or Logon Initialization Scripts	Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications.
Mobile	T1645		Compromise Client Software Binary	Android includes system partition integrity mechanisms that could detect unauthorized modifications.
Mobile	T1625		Hijack Execution Flow	Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.^[1]
		.001	System Runtime API Hijacking	Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.^[1]
Mobile	T1629		Impair Defenses	System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.
		.003	Disable or Modify Tools	System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.
Mobile	T1474	.003	Supply Chain Compromise: Compromise Software Supply Chain	Ensure Verified Boot is enabled on devices with that capability.

References

Android. (n.d.). Verified Boot. Retrieved December 21, 2016.