Skip to content

T1398 Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.

Item Value
ID T1398
Tactics TA0028
Platforms Android, iOS
Version 2.1
Created 25 October 2017
Last Modified 16 March 2023

Procedure Examples

ID Name Description
S0285 OldBoot OldBoot uses escalated privileges to modify the init script on the device’s boot partition to maintain persistence.2


ID Mitigation Description
M1002 Attestation Device attestation could detect devices with unauthorized or unsafe modifications.
M1003 Lock Bootloader A locked bootloader could prevent unauthorized modifications to protected operating system files.
M1001 Security Updates Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files.
M1004 System Partition Integrity Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications.


ID Data Source Data Component
DS0013 Sensor Health Host Status