Skip to content

DET0654 Detection of Boot or Logon Initialization Scripts

Item Value
ID DET0654
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1398 (Boot or Logon Initialization Scripts)

Analytics

Android

AN1739

On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Log Sources
Data Component Name Channel
Host Status (DC0018) Sensor Health None
Mutable Elements
Field Description

iOS

AN1740

On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Log Sources
Data Component Name Channel
Host Status (DC0018) Sensor Health None
Mutable Elements
Field Description