Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the
hidepid mount feature. Prior to Android 7, applications could utilize the
ps command or examine the
/proc directory on the device.
In iOS, applications have previously been able to use the
sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.
Agent Smith checks if a targeted application is running in user-space prior to infection.
SharkBot can use Accessibility Services to detect which process is in the foreground.
YiSpecter has collected information about running processes.
Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check.
|M1006||Use Recent OS Version||
Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.
|ID||Data Source||Data Component|
|DS0041||Application Vetting||API Calls|
Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of
ps or inspection of the