Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1742: Analytic 1742

The defender correlates managed-app runtime behavior indicative of command or shell invocation with subsequent spawned process or shell-like execution effects, then raises confidence when the resulting activity produces local artifacts or network communication outside expected user context. Because direct shell-process visibility can be weaker on iOS in many enterprise deployments, the analytic anchors first on process-creation or lower-level OS API effects where mobile telemetry can observe them, then on lifecycle context and post-execution network or file behavior. Confidence is strongest when the same app shows command invocation followed by process execution and immediate follow-on effects.

MobileAN1742AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1742 is an iOS mobile detection analytic focused on spotting when a managed app appears to invoke commands or shell-like execution and then produces follow-on file or network activity outside the expected user context. For leaders, the value is not that every iOS environment has full shell visibility, but that high-confidence mobile detection often depends on correlating weaker signals across app runtime behavior, process or OS API effects, lifecycle context, and post-execution artifacts.

Executive priority

This analytic matters where iOS devices and managed apps support business operations, executive workflows, regulated data access, or mobile workforce continuity. Security leaders should ask whether mobile security telemetry can prove what managed apps are doing at runtime, whether unexpected execution can be investigated quickly, and whether mobile events are integrated into SOC and incident response workflows. It also helps prioritize investment in mobile telemetry quality rather than relying on a single process event source that may be incomplete on iOS.

Technical view

For SOC, detection engineering, and IR teams, validate correlation logic around the same managed app: suspected command or shell invocation, observable process-creation or lower-level OS API effects, app lifecycle context, and immediate follow-on local artifact creation or network communication outside normal user context. Because the official object does not provide a detection rule, teams should treat this as an analytic design pattern for iOS rather than a ready-to-deploy signature.

Likely telemetry

  • Managed app runtime behavior events
  • iOS process-creation or lower-level OS API effect telemetry where available
  • App lifecycle and foreground/background context
  • Local file or artifact creation/modification evidence
  • Network communication initiated after suspected execution

Detection direction

  • Validate that mobile telemetry can correlate events by app, device, user, and time window.
  • Prioritize confidence when command invocation, process or OS API execution effects, and follow-on file or network activity occur in sequence for the same app.
  • Account for iOS visibility limits; absence of direct shell-process evidence should not be treated as proof of absence.
  • Tune expected managed-app behavior to reduce false positives from legitimate app updates, diagnostics, automation, or enterprise management activity.
  • Escalate events that occur outside expected user context or app lifecycle state, especially when followed immediately by local artifacts or network communication.

Mitigation priorities

  • Inventory managed iOS apps and define expected runtime, network, and file behavior for higher-risk business apps.
  • Ensure mobile telemetry is available to the SOC and can be joined with identity, device, and network context.
  • Harden managed-app and device policy baselines to limit unauthorized or unexpected app behavior where enterprise controls allow.
  • Create IR playbooks for suspicious managed-app execution that include device containment, app review, user validation, and evidence preservation.
  • Use the analytic to assess mobile detection coverage gaps during compliance readiness or security program reviews.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for iOS in the mobile domain. It emphasizes correlation and confidence-building rather than a single event or rule. No tactics, relationships, aliases, or explicit detection implementation were supplied, so this take avoids mapping it to specific adversary procedures or claiming coverage against named threats.

Official detection content is not provided, and no relationship context is supplied. Local implementation depends heavily on the organization’s iOS management model, available mobile telemetry, managed-app logging, and SOC correlation capability. This summary does not imply active exploitation, attribution, or guaranteed detection.

Official MITRE ATT&CK definition

Analytic 1742

The defender correlates managed-app runtime behavior indicative of command or shell invocation with subsequent spawned process or shell-like execution effects, then raises confidence when the resulting activity produces local artifacts or network communication outside expected user context. Because direct shell-process visibility can be weaker on iOS in many enterprise deployments, the analytic anchors first on process-creation or lower-level OS API effects where mobile telemetry can observe them, then on lifecycle context and post-execution network or file behavior. Confidence is strongest when the same app shows command invocation followed by process execution and immediate follow-on effects.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
5f8adb6a69da80b5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 5f8adb6a69da…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1742
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use