Process Discovery

Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the hidepid mount feature. Prior to Android 7, applications could utilize the ps command or examine the /proc directory on the device.[1]

In iOS, applications have previously been able to use the sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.

ID: T1424
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
Version: 2.1
Created: 25 October 2017
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith checks if a targeted application is running in user-space prior to infection.[2]

S0422 Anubis

Anubis can collect a list of running processes.[3]

S0421 GolfSpy

GolfSpy can obtain a list of running processes.[4]

S0544 HenBox

HenBox can obtain a list of running processes.[5]

S0411 Rotexy

Rotexy collects information about running processes.[6]

S1055 SharkBot

SharkBot can use Accessibility Services to detect which process is in the foreground.[7]

S0489 WolfRAT

WolfRAT uses dumpsys to determine if certain applications are running.[8]

S0311 YiSpecter

YiSpecter has collected information about running processes.[9]

Mitigations

ID Mitigation Description
M1002 Attestation

Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check.

M1006 Use Recent OS Version

Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of ps or inspection of the /proc directory.

References