Skip to content

T1424 Process Discovery

Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the hidepid mount feature. Prior to Android 7, applications could utilize the ps command or examine the /proc directory on the device.1

In iOS, applications have previously been able to use the sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.

Item Value
ID T1424
Tactics TA0032
Platforms Android, iOS
Version 2.1
Created 25 October 2017
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0440 Agent Smith Agent Smith checks if a targeted application is running in user-space prior to infection.8
S0422 Anubis Anubis can collect a list of running processes.5
S0421 GolfSpy GolfSpy can obtain a list of running processes.3
S0544 HenBox HenBox can obtain a list of running processes.2
S0411 Rotexy Rotexy collects information about running processes.7
S1055 SharkBot SharkBot can use Accessibility Services to detect which process is in the foreground.4
S0489 WolfRAT WolfRAT uses dumpsys to determine if certain applications are running.6
S0311 YiSpecter YiSpecter has collected information about running processes.9


ID Mitigation Description
M1002 Attestation Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check.
M1006 Use Recent OS Version Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.


ID Data Source Data Component
DS0041 Application Vetting API Calls