Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.

ID: T1398
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platforms: Android, iOS
MTC ID: APP-26, APP-27
Version: 2.1
Created: 25 October 2017
Last Modified: 16 March 2023

Procedure Examples

ID Name Description
S1095 AhRat

AhRat can register with the BOOT_COMPLETED broadcast to start when the device turns on.[1]


BOULDSPY can exfiltrate data when the user boots the app, or on device boot.[2]

S0285 OldBoot

OldBoot uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.[3]


ID Mitigation Description
M1002 Attestation

Device attestation could detect devices with unauthorized or unsafe modifications.

M1003 Lock Bootloader

A locked bootloader could prevent unauthorized modifications to protected operating system files.

M1001 Security Updates

Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files.

M1004 System Partition Integrity

Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications.


ID Data Source Data Component Detects
DS0013 Sensor Health Host Status

On Android, Verified Boot can detect unauthorized modifications to the system partition.[4] Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.