Skip to content

DET0712 Detection of Compromise Client Software Binary

Item Value
ID DET0712
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1645 (Compromise Client Software Binary)

Analytics

Android

AN1838

Application vetting services could detect applications trying to modify files in protected parts of the operating system. Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Log Sources
Data Component Name Channel
API Calls (DC0112) Application Vetting None
Host Status (DC0018) Sensor Health None
Mutable Elements
Field Description

iOS

AN1839

Application vetting services could detect applications trying to modify files in protected parts of the operating system. Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Log Sources
Data Component Name Channel
API Calls (DC0112) Application Vetting None
Host Status (DC0018) Sensor Health None
Mutable Elements
Field Description