T1629 Impair Defenses
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.
Mitigations
| ID |
Mitigation |
Description |
| M1010 |
Deploy Compromised Device Detection Method |
Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action. |
| M1012 |
Enterprise Policy |
An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| M1001 |
Security Updates |
Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses. |
| M1004 |
System Partition Integrity |
System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files. |
| M1011 |
User Guidance |
Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses. |
Detection
References