Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.
| ID | Name | Description |
|---|---|---|
| S1095 | AhRat |
AhRat can register with the |
| S1079 | BOULDSPY |
BOULDSPY can exfiltrate data when the user boots the app, or on device boot.[2] |
| S0285 | OldBoot |
OldBoot uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation |
Device attestation could detect devices with unauthorized or unsafe modifications. |
| M1003 | Lock Bootloader |
A locked bootloader could prevent unauthorized modifications to protected operating system files. |
| M1001 | Security Updates |
Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. |
| M1004 | System Partition Integrity |
Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0013 | Sensor Health | Host Status |
On Android, Verified Boot can detect unauthorized modifications to the system partition.[4] Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. |