A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.
Domain | ID | Name | Use | |
---|---|---|---|---|
Mobile | T1623 | Command and Scripting Interpreter |
Mobile security products can typically detect jailbroken or rooted devices. |
|
.001 | Unix Shell |
Mobile security products can typically detect jailbroken or rooted devices. |
||
Mobile | T1634 | Credentials from Password Store |
Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores. |
|
.001 | Keychain |
Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores. |
||
Mobile | T1404 | Exploitation for Privilege Escalation |
Mobile security products can potentially detect jailbroken or rooted devices. |
|
Mobile | T1628 | .002 | Hide Artifacts: User Evasion |
Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used. |
Mobile | T1617 | Hooking |
Mobile security products can often detect rooted devices. |
|
Mobile | T1629 | Impair Defenses |
Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action. |
|
.003 | Disable or Modify Tools |
Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action. |