Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1741: Analytic 1741

The defender correlates app-driven shell or command execution setup with subsequent process creation, command invocation, or script-driven follow-on behavior under the same app context, especially when command execution occurs from background state, without recent user interaction, or immediately after payload retrieval or local staging. The analytic prioritizes Android-observable control-plane effects: Java Runtime or similar command-execution method use, shell or sh-like process creation, command parameter visibility where available, and immediate file or network effects produced by the interpreter.

MobileAN1741AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1741 is a mobile detection analytic for Android focused on apps that set up and launch shell or command execution, then produce follow-on process, file, network, or script activity under the same app context. Its practical value is that app-driven command execution can indicate behavior that bypasses normal user-driven app flows, especially when it occurs in the background, without recent user interaction, or shortly after payload retrieval or local staging.

Executive priority

For security leaders, this analytic is a validation point for Android monitoring depth: can the organization distinguish normal app behavior from app-controlled command execution that may create operational, data protection, or incident response risk? It supports decisions about mobile telemetry investment, managed detection requirements, incident triage readiness, and compliance evidence for endpoint monitoring. Priority should be highest where Android devices support sensitive business workflows, privileged access, regulated data, or cyber-physical operations.

Technical view

SOC and detection teams should validate whether Android telemetry can correlate an app context with Java Runtime or similar command-execution method use, shell or sh-like process creation, visible command parameters when available, and immediate file or network effects from the interpreter. Because no official detection logic is provided, teams should build and test correlation around sequence and context: app-driven command setup followed by process creation, command invocation, script-like follow-on behavior, payload retrieval, local staging, background execution, or absence of recent user interaction.

Likely telemetry

  • Android app context and package/process identity
  • Java Runtime or similar command-execution method usage where observable
  • Shell or sh-like process creation events
  • Command invocation and command parameter visibility where available
  • File creation, modification, or local staging events after command execution

Detection direction

  • Validate that mobile telemetry preserves parent app context across command setup, process creation, and follow-on file or network effects.
  • Tune for suspicious sequencing rather than a single event: payload retrieval or local staging followed by shell-like execution, especially from background state or without recent user interaction.
  • Account for false positives from legitimate apps that use interpreters, diagnostics, automation, development tooling, or device-management functions.
  • Prioritize visibility gaps: missing command parameters, weak app-to-process correlation, lack of user-interaction state, and limited file/network linkage will materially reduce analytic value.
  • Use this as an engineering requirement for managed detection or mobile EDR coverage rather than assuming coverage from generic endpoint logging.

Mitigation priorities

  • Inventory Android use cases where command execution by apps could create business or compliance risk.
  • Ensure approved mobile security controls can collect app context, process creation, command metadata where available, file activity, network activity, and user-interaction/background-state signals.
  • Restrict or review high-risk apps and app sources according to existing mobile governance and application control policies.
  • Define incident response playbooks for Android cases involving app-driven command execution, including evidence preservation and triage of related file and network activity.
  • Use test cases to prove telemetry correlation before relying on this analytic for audit, SOC, or IR readiness.
Analyst notes and limits

This object is an ATT&CK mobile detection analytic for Android, external ID AN1741, associated with detection strategy URL https://attack.mitre.org/detectionstrategies/DET0655#AN1741. No tactics, relationships, aliases, labels, or official detection rule were supplied, so the take focuses on telemetry and validation direction derived from the official description.

The supplied ATT&CK fields do not provide a concrete detection query, related techniques, threat groups, campaigns, mitigations, or evidence of active exploitation. Local Android fleet architecture, mobile security tooling, logging permissions, app inventory, and business use cases are required to determine priority and achievable coverage.

Official MITRE ATT&CK definition

Analytic 1741

The defender correlates app-driven shell or command execution setup with subsequent process creation, command invocation, or script-driven follow-on behavior under the same app context, especially when command execution occurs from background state, without recent user interaction, or immediately after payload retrieval or local staging. The analytic prioritizes Android-observable control-plane effects: Java Runtime or similar command-execution method use, shell or sh-like process creation, command parameter visibility where available, and immediate file or network effects produced by the interpreter.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
96be7b3f860d8a41...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 96be7b3f860d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1741
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use