M1002 Attestation
Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.
| Item | Value |
|---|---|
| ID | M1002 |
| Version | 1.0 |
| Created | 18 October 2019 |
| Last Modified | 18 October 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1398 | Boot or Logon Initialization Scripts | Device attestation could detect devices with unauthorized or unsafe modifications. |
| mobile | T1623 | Command and Scripting Interpreter | Device attestation can often detect jailbroken or rooted devices. |
| mobile | T1623.001 | Unix Shell | Device attestation can often detect jailbroken or rooted devices. |
| mobile | T1645 | Compromise Client Software Binary | Device attestation could detect devices with unauthorized or unsafe modifications. |
| mobile | T1634 | Credentials from Password Store | Device attestation can often detect jailbroken devices. |
| mobile | T1634.001 | Keychain | Device attestation can often detect jailbroken devices. |
| mobile | T1404 | Exploitation for Privilege Escalation | Device attestation can often detect jailbroken or rooted devices. |
| mobile | T1625 | Hijack Execution Flow | Device attestation could detect unauthorized operating system modifications. |
| mobile | T1625.001 | System Runtime API Hijacking | Device attestation could detect unauthorized operating system modifications. |
| mobile | T1617 | Hooking | Device attestation can often detect rooted devices. |
| mobile | T1630 | Indicator Removal on Host | Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. |
| mobile | T1630.001 | Uninstall Malicious Application | Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices. |
| mobile | T1424 | Process Discovery | Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. |