T1398 Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.

Item	Value
ID	T1398
Sub-techniques
Tactics	TA0028
Platforms	Android, iOS
Version	2.1
Created	25 October 2017
Last Modified	16 March 2023

Procedure Examples

ID	Name	Description
S0285	OldBoot	OldBoot uses escalated privileges to modify the init script on the device’s boot partition to maintain persistence.²

Mitigations

ID	Mitigation	Description
M1002	Attestation	Device attestation could detect devices with unauthorized or unsafe modifications.
M1003	Lock Bootloader	A locked bootloader could prevent unauthorized modifications to protected operating system files.
M1001	Security Updates	Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files.
M1004	System Partition Integrity	Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications.

Detection

ID	Data Source	Data Component
DS0013	Sensor Health	Host Status

References

Android. (n.d.). Verified Boot. Retrieved December 21, 2016. ↩
Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016. ↩