T1424 Process Discovery
Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the hidepid mount feature. Prior to Android 7, applications could utilize the ps command or examine the /proc directory on the device.1
In iOS, applications have previously been able to use the sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.
| Item | Value |
|---|---|
| ID | T1424 |
| Sub-techniques | |
| Tactics | TA0032 |
| Platforms | Android, iOS |
| Version | 2.1 |
| Created | 25 October 2017 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0440 | Agent Smith | Agent Smith checks if a targeted application is running in user-space prior to infection.8 |
| S0422 | Anubis | Anubis can collect a list of running processes.5 |
| S0421 | GolfSpy | GolfSpy can obtain a list of running processes.3 |
| S0544 | HenBox | HenBox can obtain a list of running processes.2 |
| S0411 | Rotexy | Rotexy collects information about running processes.7 |
| S1055 | SharkBot | SharkBot can use Accessibility Services to detect which process is in the foreground.4 |
| S0489 | WolfRAT | WolfRAT uses dumpsys to determine if certain applications are running.6 |
| S0311 | YiSpecter | YiSpecter has collected information about running processes.9 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1002 | Attestation | Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. |
| M1006 | Use Recent OS Version | Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
References
-
Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016. ↩
-
A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. ↩
-
E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. ↩
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩
-
zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021. ↩
-
W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. ↩
-
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. ↩
-
A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. ↩
-
Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. ↩