Skip to content

Hide Navigation Hide TOC

Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c)

Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.

Cluster A Galaxy A Cluster B Galaxy B Level
Credentials from Password Store - T1634 (cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3) Attack Pattern Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action 1
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action 1
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c) Attack Pattern Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action 1
Compromise Client Software Binary - T1645 (4f14e30b-8b57-4a7b-9093-2c0778ea99cf) Attack Pattern Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action 1
Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19) Attack Pattern 1
System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831) Attack Pattern Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action 1
Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action Boot or Logon Initialization Scripts - T1398 (46d818a5-67fa-4585-a7fc-ecf15376c8d5) Attack Pattern 1
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action 1
Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern 1
Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action Hooking - T1617 (ccde43e4-78f9-4f32-b401-c081e7db71ea) Attack Pattern 1
Exploitation for Privilege Escalation - T1404 (351c0927-2fc1-4a2c-ad84-cbbee7eb8172) Attack Pattern Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action 1
Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3) Attack Pattern 1
Attestation - M1002 (ff4821f6-5afb-481b-8c0f-26c28c0d666c) Course of Action Hijack Execution Flow - T1625 (670a4d75-103b-4b14-8a9e-4652fa795edd) Attack Pattern 1
System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831) Attack Pattern Hijack Execution Flow - T1625 (670a4d75-103b-4b14-8a9e-4652fa795edd) Attack Pattern 2
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c) Attack Pattern Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern 2
Credentials from Password Store - T1634 (cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3) Attack Pattern Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern 2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3) Attack Pattern 2