Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1721: Analytic 1721

From the defender view: a sandboxed process receives/creates a high-entropy Mach-O/bundle or encrypted segment, performs in-memory decrypt/unpack (mmap/mprotect RW→RX or RWX), optionally drops a transient image in app-writable dirs, then loads it through dyld/dlopen or spawns it. We correlate: (1) opaque blob write/arrival → (2) kernel memory protection changes → (3) dyld/dlopen from app-writable path or posix_spawn of a recently created image → (4) (optional) code-sign evaluation anomalies for the new image.

MobileAN1721AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes an iOS defense pattern for spotting a sandboxed app that receives or creates an opaque executable blob, decrypts or unpacks it in memory, changes memory protections to executable, and then loads or spawns the new code. For leaders, the value is not the individual event; it is whether mobile security monitoring can connect file arrival, memory behavior, dynamic loading, process creation, and code-signing signals into one defensible story.

Executive priority

Prioritize this as a mobile runtime integrity and incident-readiness question. If iOS devices support executives, privileged users, regulated workflows, or field operations, teams should be able to show whether they can detect suspicious code loading from app-writable locations and preserve enough evidence to support containment and compliance reporting. The key budget/control decision is whether current MDM, mobile EDR, app telemetry, and IR processes can observe these behaviors on iOS at all.

Technical view

For SOC and detection teams, validate correlation across the official analytic sequence: high-entropy Mach-O, bundle, or encrypted segment arrival; mmap/mprotect memory protection changes such as RW to RX or RWX; dyld/dlopen loads from app-writable paths or posix_spawn of a recently created image; and optional code-sign evaluation anomalies. Because no ATT&CK tactic or relationship context was supplied, treat this as a detection strategy rather than a complete threat scenario.

Likely telemetry

  • iOS app/container file creation or modification events in app-writable directories
  • Evidence of opaque or high-entropy Mach-O, bundle, or encrypted segment creation or arrival
  • Kernel or endpoint telemetry for mmap and mprotect memory protection transitions, especially RW to RX or RWX
  • Dynamic loader telemetry for dyld or dlopen activity and load paths
  • Process creation telemetry for posix_spawn of recently created images

Detection direction

  • Confirm that iOS telemetry sources can actually observe memory protection changes and dynamic loading behavior; many environments will have visibility gaps here.
  • Correlate the full behavior chain instead of alerting on a single file write or memory event in isolation.
  • Tune for legitimate app behavior such as updates, protected content handling, development/test builds, or approved runtime components that may create opaque blobs or perform dynamic loading.
  • Give higher priority to loads or spawns from app-writable paths combined with recent file creation and code-signing anomalies.
  • Document what cannot be collected on managed iOS devices so SOC and IR teams do not assume coverage that is not present.

Mitigation priorities

  • Start by enforcing trusted app installation and code-signing controls through established iOS management processes.
  • Limit unapproved app sources, enterprise profiles, or configurations that weaken trust boundaries where applicable.
  • Ensure mobile incident response procedures can isolate a device, preserve relevant app/container evidence, and escalate code-signing anomalies.
  • Use detection validation exercises to prove whether the organization can collect and correlate the required iOS evidence classes.
  • For high-risk user groups, align MDM, mobile threat defense, and application security controls to reduce reliance on a single telemetry source.
Analyst notes and limits

The supplied object is a detection analytic for iOS in the mobile ATT&CK domain. It provides a strong behavioral description but no official detection text, tactics, aliases, labels, or relationship context. The most useful defensive interpretation is a correlation pattern for suspicious runtime code loading and unpacking behavior within a sandboxed iOS process.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, actor attribution, specific malware, business exposure, or guaranteed detection coverage. Local iOS management model, telemetry availability, app inventory, and forensic access will determine practical usefulness.

Official MITRE ATT&CK definition

Analytic 1721

From the defender view: a sandboxed process receives/creates a high-entropy Mach-O/bundle or encrypted segment, performs in-memory decrypt/unpack (mmap/mprotect RW→RX or RWX), optionally drops a transient image in app-writable dirs, then loads it through dyld/dlopen or spawns it. We correlate: (1) opaque blob write/arrival → (2) kernel memory protection changes → (3) dyld/dlopen from app-writable path or posix_spawn of a recently created image → (4) (optional) code-sign evaluation anomalies for the new image.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
2a93571032dfb726...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 2a93571032df…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1721
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use