CINXE.COM
Techniques - Mobile | MITRE ATT&CK®
<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Techniques - Mobile | MITRE ATT&CK®</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b> <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/mobile/">Techniques</a></li> <li class="breadcrumb-item">Mobile</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <div class="overflow-x-auto"> <div class="row"> <div class="col-md-10"> <h1> Mobile Techniques </h1> <p> Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access. </p> </div> <div class="col-md-2 div-count"> <div class="row table-object-count pr-3"> <h6>Techniques: 73</h6> </div> <div class="row table-object-count pr-3"> <h6>Sub-techniques: 46</h6> </div> </div> </div> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1626"> T1626 </a> </td> <td> <a href="/techniques/T1626"> Abuse Elevation Control Mechanism </a> </td> <td> Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1626/001"> .001 </a> </td> <td> <a href="/techniques/T1626/001"> Device Administrator Permissions </a> </td> <td> Adversaries may abuse Android鈥檚 device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device鈥檚 password for <a href="/techniques/T1642">Endpoint Denial of Service</a>, factory resetting the device for <a href="/techniques/T1630/002">File Deletion</a> and to delete any traces of the malware, disabling all the device鈥檚 cameras, or to make it more difficult to uninstall the app. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1517"> T1517 </a> </td> <td> <a href="/techniques/T1517"> Access Notifications </a> </td> <td> Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1640"> T1640 </a> </td> <td> <a href="/techniques/T1640"> Account Access Removal </a> </td> <td> Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1638"> T1638 </a> </td> <td> <a href="/techniques/T1638"> Adversary-in-the-Middle </a> </td> <td> Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as <a href="/techniques/T1565/002">Transmitted Data Manipulation</a> or <a href="/techniques/T1642">Endpoint Denial of Service</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1437"> T1437 </a> </td> <td> <a href="/techniques/T1437"> Application Layer Protocol </a> </td> <td> Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1437/001"> .001 </a> </td> <td> <a href="/techniques/T1437/001"> Web Protocols </a> </td> <td> Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1661"> T1661 </a> </td> <td> <a href="/techniques/T1661"> Application Versioning </a> </td> <td> An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1532"> T1532 </a> </td> <td> <a href="/techniques/T1532"> Archive Collected Data </a> </td> <td> Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1429"> T1429 </a> </td> <td> <a href="/techniques/T1429"> Audio Capture </a> </td> <td> Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1398"> T1398 </a> </td> <td> <a href="/techniques/T1398"> Boot or Logon Initialization Scripts </a> </td> <td> Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1616"> T1616 </a> </td> <td> <a href="/techniques/T1616"> Call Control </a> </td> <td> Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1414"> T1414 </a> </td> <td> <a href="/techniques/T1414"> Clipboard Data </a> </td> <td> Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1623"> T1623 </a> </td> <td> <a href="/techniques/T1623"> Command and Scripting Interpreter </a> </td> <td> Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic <a href="/techniques/T1623/001">Unix Shell</a> that can be accessed via the Android Debug Bridge (ADB) or Java鈥檚 <code>Runtime</code> package. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1623/001"> .001 </a> </td> <td> <a href="/techniques/T1623/001"> Unix Shell </a> </td> <td> Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1577"> T1577 </a> </td> <td> <a href="/techniques/T1577"> Compromise Application Executable </a> </td> <td> Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1645"> T1645 </a> </td> <td> <a href="/techniques/T1645"> Compromise Client Software Binary </a> </td> <td> Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1634"> T1634 </a> </td> <td> <a href="/techniques/T1634"> Credentials from Password Store </a> </td> <td> Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1634/001"> .001 </a> </td> <td> <a href="/techniques/T1634/001"> Keychain </a> </td> <td> Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1662"> T1662 </a> </td> <td> <a href="/techniques/T1662"> Data Destruction </a> </td> <td> Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1471"> T1471 </a> </td> <td> <a href="/techniques/T1471"> Data Encrypted for Impact </a> </td> <td> An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1533"> T1533 </a> </td> <td> <a href="/techniques/T1533"> Data from Local System </a> </td> <td> Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1641"> T1641 </a> </td> <td> <a href="/techniques/T1641"> Data Manipulation </a> </td> <td> Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1641/001"> .001 </a> </td> <td> <a href="/techniques/T1641/001"> Transmitted Data Manipulation </a> </td> <td> Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1407"> T1407 </a> </td> <td> <a href="/techniques/T1407"> Download New Code at Runtime </a> </td> <td> Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with <a href="/techniques/T1627">Execution Guardrails</a> techniques, detecting malicious code downloaded after installation could be difficult. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1456"> T1456 </a> </td> <td> <a href="/techniques/T1456"> Drive-By Compromise </a> </td> <td> Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an <a href="/techniques/T1550/001">Application Access Token</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1637"> T1637 </a> </td> <td> <a href="/techniques/T1637"> Dynamic Resolution </a> </td> <td> Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1637/001"> .001 </a> </td> <td> <a href="/techniques/T1637/001"> Domain Generation Algorithms </a> </td> <td> Adversaries may use <a href="/techniques/T1637/001">Domain Generation Algorithms</a> (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1521"> T1521 </a> </td> <td> <a href="/techniques/T1521"> Encrypted Channel </a> </td> <td> Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1521/001"> .001 </a> </td> <td> <a href="/techniques/T1521/001"> Symmetric Cryptography </a> </td> <td> Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1521/002"> .002 </a> </td> <td> <a href="/techniques/T1521/002"> Asymmetric Cryptography </a> </td> <td> Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver鈥檚 public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1521/003"> .003 </a> </td> <td> <a href="/techniques/T1521/003"> SSL Pinning </a> </td> <td> Adversaries may use <a href="/techniques/T1521/003">SSL Pinning</a> to protect the C2 traffic from being intercepted and analyzed. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1642"> T1642 </a> </td> <td> <a href="/techniques/T1642"> Endpoint Denial of Service </a> </td> <td> Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1624"> T1624 </a> </td> <td> <a href="/techniques/T1624"> Event Triggered Execution </a> </td> <td> Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1624/001"> .001 </a> </td> <td> <a href="/techniques/T1624/001"> Broadcast Receivers </a> </td> <td> Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1627"> T1627 </a> </td> <td> <a href="/techniques/T1627"> Execution Guardrails </a> </td> <td> Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary鈥檚 campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1627/001"> .001 </a> </td> <td> <a href="/techniques/T1627/001"> Geofencing </a> </td> <td> Adversaries may use a device鈥檚 geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1639"> T1639 </a> </td> <td> <a href="/techniques/T1639"> Exfiltration Over Alternative Protocol </a> </td> <td> Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1639/001"> .001 </a> </td> <td> <a href="/techniques/T1639/001"> Exfiltration Over Unencrypted Non-C2 Protocol </a> </td> <td> Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1646"> T1646 </a> </td> <td> <a href="/techniques/T1646"> Exfiltration Over C2 Channel </a> </td> <td> Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1658"> T1658 </a> </td> <td> <a href="/techniques/T1658"> Exploitation for Client Execution </a> </td> <td> Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1664"> T1664 </a> </td> <td> <a href="/techniques/T1664"> Exploitation for Initial Access </a> </td> <td> Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1404"> T1404 </a> </td> <td> <a href="/techniques/T1404"> Exploitation for Privilege Escalation </a> </td> <td> Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1428"> T1428 </a> </td> <td> <a href="/techniques/T1428"> Exploitation of Remote Services </a> </td> <td> Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device鈥檚 access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1420"> T1420 </a> </td> <td> <a href="/techniques/T1420"> File and Directory Discovery </a> </td> <td> Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from <a href="/techniques/T1420">File and Directory Discovery</a> during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1541"> T1541 </a> </td> <td> <a href="/techniques/T1541"> Foreground Persistence </a> </td> <td> Adversaries may abuse Android's <code>startForeground()</code> API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope. Applications can retain sensor access by running in the foreground, using Android鈥檚 <code>startForeground()</code> API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1643"> T1643 </a> </td> <td> <a href="/techniques/T1643"> Generate Traffic from Victim </a> </td> <td> Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1628"> T1628 </a> </td> <td> <a href="/techniques/T1628"> Hide Artifacts </a> </td> <td> Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application鈥檚 launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1628/001"> .001 </a> </td> <td> <a href="/techniques/T1628/001"> Suppress Application Icon </a> </td> <td> A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1628/002"> .002 </a> </td> <td> <a href="/techniques/T1628/002"> User Evasion </a> </td> <td> Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary鈥檚 modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1628/003"> .003 </a> </td> <td> <a href="/techniques/T1628/003"> Conceal Multimedia Files </a> </td> <td> Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1625"> T1625 </a> </td> <td> <a href="/techniques/T1625"> Hijack Execution Flow </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1625/001"> .001 </a> </td> <td> <a href="/techniques/T1625/001"> System Runtime API Hijacking </a> </td> <td> Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1617"> T1617 </a> </td> <td> <a href="/techniques/T1617"> Hooking </a> </td> <td> Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1629"> T1629 </a> </td> <td> <a href="/techniques/T1629"> Impair Defenses </a> </td> <td> Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1629/001"> .001 </a> </td> <td> <a href="/techniques/T1629/001"> Prevent Application Removal </a> </td> <td> Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1629/002"> .002 </a> </td> <td> <a href="/techniques/T1629/002"> Device Lockout </a> </td> <td> An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using <code>DevicePolicyManager.lockNow()</code>. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted "call" notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1629/003"> .003 </a> </td> <td> <a href="/techniques/T1629/003"> Disable or Modify Tools </a> </td> <td> Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1630"> T1630 </a> </td> <td> <a href="/techniques/T1630"> Indicator Removal on Host </a> </td> <td> Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1630/001"> .001 </a> </td> <td> <a href="/techniques/T1630/001"> Uninstall Malicious Application </a> </td> <td> Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1630/002"> .002 </a> </td> <td> <a href="/techniques/T1630/002"> File Deletion </a> </td> <td> Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1630/003"> .003 </a> </td> <td> <a href="/techniques/T1630/003"> Disguise Root/Jailbreak Indicators </a> </td> <td> An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1544"> T1544 </a> </td> <td> <a href="/techniques/T1544"> Ingress Tool Transfer </a> </td> <td> Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1417"> T1417 </a> </td> <td> <a href="/techniques/T1417"> Input Capture </a> </td> <td> Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. <a href="/techniques/T1417/001">Keylogging</a>) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. <a href="/techniques/T1417/002">GUI Input Capture</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1417/001"> .001 </a> </td> <td> <a href="/techniques/T1417/001"> Keylogging </a> </td> <td> Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1417/002"> .002 </a> </td> <td> <a href="/techniques/T1417/002"> GUI Input Capture </a> </td> <td> Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique鈥檚 use. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1516"> T1516 </a> </td> <td> <a href="/techniques/T1516"> Input Injection </a> </td> <td> A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1430"> T1430 </a> </td> <td> <a href="/techniques/T1430"> Location Tracking </a> </td> <td> Adversaries may track a device鈥檚 physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1430/001"> .001 </a> </td> <td> <a href="/techniques/T1430/001"> Remote Device Management Services </a> </td> <td> An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1430/002"> .002 </a> </td> <td> <a href="/techniques/T1430/002"> Impersonate SS7 Nodes </a> </td> <td> Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1461"> T1461 </a> </td> <td> <a href="/techniques/T1461"> Lockscreen Bypass </a> </td> <td> An adversary with physical access to a mobile device may seek to bypass the device鈥檚 lockscreen. Several methods exist to accomplish this, including: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1655"> T1655 </a> </td> <td> <a href="/techniques/T1655"> Masquerading </a> </td> <td> Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1655/001"> .001 </a> </td> <td> <a href="/techniques/T1655/001"> Match Legitimate Name or Location </a> </td> <td> Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., <code>com.google.android.gm</code>). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1575"> T1575 </a> </td> <td> <a href="/techniques/T1575"> Native API </a> </td> <td> Adversaries may use Android鈥檚 Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1464"> T1464 </a> </td> <td> <a href="/techniques/T1464"> Network Denial of Service </a> </td> <td> Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1423"> T1423 </a> </td> <td> <a href="/techniques/T1423"> Network Service Scanning </a> </td> <td> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1509"> T1509 </a> </td> <td> <a href="/techniques/T1509"> Non-Standard Port </a> </td> <td> Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1406"> T1406 </a> </td> <td> <a href="/techniques/T1406"> Obfuscated Files or Information </a> </td> <td> Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1406/001"> .001 </a> </td> <td> <a href="/techniques/T1406/001"> Steganography </a> </td> <td> Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1406/002"> .002 </a> </td> <td> <a href="/techniques/T1406/002"> Software Packing </a> </td> <td> Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1644"> T1644 </a> </td> <td> <a href="/techniques/T1644"> Out of Band Data </a> </td> <td> Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1660"> T1660 </a> </td> <td> <a href="/techniques/T1660"> Phishing </a> </td> <td> Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as "spearphishing". Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1424"> T1424 </a> </td> <td> <a href="/techniques/T1424"> Process Discovery </a> </td> <td> Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from <a href="/techniques/T1424">Process Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1631"> T1631 </a> </td> <td> <a href="/techniques/T1631"> Process Injection </a> </td> <td> Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1631/001"> .001 </a> </td> <td> <a href="/techniques/T1631/001"> Ptrace System Calls </a> </td> <td> Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1636"> T1636 </a> </td> <td> <a href="/techniques/T1636"> Protected User Data </a> </td> <td> Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application鈥檚 manifest. On iOS, they must be included in the application鈥檚 <code>Info.plist</code> file. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1636/001"> .001 </a> </td> <td> <a href="/techniques/T1636/001"> Calendar Entries </a> </td> <td> Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the <code>EventKit</code> framework. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1636/002"> .002 </a> </td> <td> <a href="/techniques/T1636/002"> Call Log </a> </td> <td> Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1636/003"> .003 </a> </td> <td> <a href="/techniques/T1636/003"> Contact List </a> </td> <td> Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the <code>Contacts</code> framework. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1636/004"> .004 </a> </td> <td> <a href="/techniques/T1636/004"> SMS Messages </a> </td> <td> Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1604"> T1604 </a> </td> <td> <a href="/techniques/T1604"> Proxy Through Victim </a> </td> <td> Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary鈥檚 traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1663"> T1663 </a> </td> <td> <a href="/techniques/T1663"> Remote Access Software </a> </td> <td> Adversaries may use legitimate remote access software, such as <code>VNC</code>, <code>TeamViewer</code>, <code>AirDroid</code>, <code>AirMirror</code>, etc., to establish an interactive command and control channel to target mobile devices. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1458"> T1458 </a> </td> <td> <a href="/techniques/T1458"> Replication Through Removable Media </a> </td> <td> Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly. In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device. Examples of this include: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1603"> T1603 </a> </td> <td> <a href="/techniques/T1603"> Scheduled Task/Job </a> </td> <td> Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1513"> T1513 </a> </td> <td> <a href="/techniques/T1513"> Screen Capture </a> </td> <td> Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android <code>MediaProjectionManager</code> (generally requires the device user to grant consent). Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application. An adversary with root access or Android Debug Bridge (adb) access could call the Android <code>screencap</code> or <code>screenrecord</code> commands. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1582"> T1582 </a> </td> <td> <a href="/techniques/T1582"> SMS Control </a> </td> <td> Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1418"> T1418 </a> </td> <td> <a href="/techniques/T1418"> Software Discovery </a> </td> <td> Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from <a href="/techniques/T1418">Software Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1418/001"> .001 </a> </td> <td> <a href="/techniques/T1418/001"> Security Software Discovery </a> </td> <td> Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from <a href="/techniques/T1418/001">Security Software Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1635"> T1635 </a> </td> <td> <a href="/techniques/T1635"> Steal Application Access Token </a> </td> <td> Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system "Open With" dialogue. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1635/001"> .001 </a> </td> <td> <a href="/techniques/T1635/001"> URI Hijacking </a> </td> <td> Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1409"> T1409 </a> </td> <td> <a href="/techniques/T1409"> Stored Application Data </a> </td> <td> Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1632"> T1632 </a> </td> <td> <a href="/techniques/T1632"> Subvert Trust Controls </a> </td> <td> Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1632/001"> .001 </a> </td> <td> <a href="/techniques/T1632/001"> Code Signing Policy Modification </a> </td> <td> Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1474"> T1474 </a> </td> <td> <a href="/techniques/T1474"> Supply Chain Compromise </a> </td> <td> Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1474/001"> .001 </a> </td> <td> <a href="/techniques/T1474/001"> Compromise Software Dependencies and Development Tools </a> </td> <td> Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1474/002"> .002 </a> </td> <td> <a href="/techniques/T1474/002"> Compromise Hardware Supply Chain </a> </td> <td> Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1474/003"> .003 </a> </td> <td> <a href="/techniques/T1474/003"> Compromise Software Supply Chain </a> </td> <td> Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1426"> T1426 </a> </td> <td> <a href="/techniques/T1426"> System Information Discovery </a> </td> <td> Adversaries may attempt to get detailed information about a device鈥檚 operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from <a href="/techniques/T1426">System Information Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1422"> T1422 </a> </td> <td> <a href="/techniques/T1422"> System Network Configuration Discovery </a> </td> <td> Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1422/001"> .001 </a> </td> <td> <a href="/techniques/T1422/001"> Internet Connection Discovery </a> </td> <td> Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using <code>adb shell netstat</code> for Android. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1422/002"> .002 </a> </td> <td> <a href="/techniques/T1422/002"> Wi-Fi Discovery </a> </td> <td> Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of <a href="https://attack.mitre.org/tactics/TA0032">Discovery</a> or <a href="https://attack.mitre.org/tactics/TA0031">Credential Access</a> activity to support both ongoing and future campaigns. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1421"> T1421 </a> </td> <td> <a href="/techniques/T1421"> System Network Connections Discovery </a> </td> <td> Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1512"> T1512 </a> </td> <td> <a href="/techniques/T1512"> Video Capture </a> </td> <td> An adversary can leverage a device鈥檚 cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1633"> T1633 </a> </td> <td> <a href="/techniques/T1633"> Virtualization/Sandbox Evasion </a> </td> <td> Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware鈥檚 behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from <a href="/techniques/T1633">Virtualization/Sandbox Evasion</a> during automated discovery to shape follow-on behaviors. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1633/001"> .001 </a> </td> <td> <a href="/techniques/T1633/001"> System Checks </a> </td> <td> Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware鈥檚 behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1481"> T1481 </a> </td> <td> <a href="/techniques/T1481"> Web Service </a> </td> <td> Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1481/001"> .001 </a> </td> <td> <a href="/techniques/T1481/001"> Dead Drop Resolver </a> </td> <td> Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1481/002"> .002 </a> </td> <td> <a href="/techniques/T1481/002"> Bidirectional Communication </a> </td> <td> Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1481/003"> .003 </a> </td> <td> <a href="/techniques/T1481/003"> One-Way Communication </a> </td> <td> Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1
Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>