T1398 Boot or Logon Initialization Scripts
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.
| Item | Value |
|---|---|
| ID | T1398 |
| Sub-techniques | |
| Tactics | TA0028 |
| Platforms | Android, iOS |
| Version | 2.1 |
| Created | 25 October 2017 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1095 | AhRat | AhRat can register with the BOOT_COMPLETED broadcast to start when the device turns on.3 |
| S1079 | BOULDSPY | BOULDSPY can exfiltrate data when the user boots the app, or on device boot.4 |
| S1185 | LightSpy | LightSpy has established auto-start execution during the system boot process.5 |
| S0285 | OldBoot | OldBoot uses escalated privileges to modify the init script on the device’s boot partition to maintain persistence.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Device attestation could detect devices with unauthorized or unsafe modifications. |
| M1003 | Lock Bootloader | A locked bootloader could prevent unauthorized modifications to protected operating system files. |
| M1001 | Security Updates | Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. |
| M1004 | System Partition Integrity | Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. |
References
-
Android. (n.d.). Verified Boot. Retrieved December 21, 2016. ↩
-
Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016. ↩
-
Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023. ↩
-
Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023. ↩
-
ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. ↩