Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1805: Analytic 1805

Defender observes signals consistent with attempted process listing on iOS where modern OS protections generally prevent broad process enumeration for non-root apps. Detections therefore focus on: (1) feasibility gating via integrity/jailbreak posture, and (2) observable security/log anomalies consistent with attempts to query process tables or restricted system interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private frameworks). Correlate integrity compromise indicators with repeated restricted-access events and optional follow-on behaviors (rapid targeting of specific bundles/services or immediate network beacons) to raise confidence that process discovery is occurring.

MobileAN1805AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1805 is a mobile detection analytic for iOS process-listing attempts. Its business value is that broad process enumeration is normally constrained on modern iOS, so credible signals may indicate a device integrity problem, jailbreak-like posture, or an app probing restricted system interfaces. For leaders, this matters less as a standalone alert and more as evidence that mobile endpoint integrity, executive-device monitoring, and incident triage processes can distinguish benign platform noise from suspicious reconnaissance behavior.

Executive priority

Prioritize this analytic where iOS devices are part of sensitive workflows, privileged communications, regulated evidence handling, or executive access. The key management question is whether the organization can prove device integrity posture and collect enough iOS security/log evidence to support an incident decision. Because ATT&CK provides no specific tactic or relationship context here, treat AN1805 as a validation point for mobile visibility and response readiness rather than as proof of compromise by itself.

Technical view

SOC and IR teams should validate whether they can correlate iOS integrity or jailbreak indicators with repeated restricted-access anomalies such as sandbox denials, sysctl-like access attempts, suspicious use of private frameworks, and possible follow-on behavior such as rapid targeting of specific bundles/services or immediate network beacons. Detection should be correlation-driven because modern iOS protections generally limit broad process enumeration by non-root apps, making feasibility gating essential. Absence of an official detection query means local telemetry sources, MDM/EDR capability, and app logging determine practical coverage.

Likely telemetry

  • iOS device integrity or jailbreak posture signals
  • iOS sandbox denial or restricted-access logs
  • Security/log anomalies involving process table or restricted system interface queries
  • Signals of abnormal private framework usage where available
  • Application behavior showing rapid targeting of specific bundles or services

Detection direction

  • Validate that restricted-access events can be correlated with device integrity posture before escalating severity.
  • Tune for repeated or clustered anomalies rather than isolated sandbox denials, which may have benign causes.
  • Increase confidence when restricted-access anomalies are followed by rapid bundle/service targeting or immediate network activity.
  • Document blind spots where iOS logging, MDM, or mobile endpoint tooling cannot expose sandbox denials, private framework usage, or process-query-like behavior.
  • Avoid treating this analytic as confirmed process discovery without local evidence; ATT&CK supplies no official detection logic or relationship context.

Mitigation priorities

  • Establish and enforce mobile device integrity requirements for iOS devices handling sensitive access.
  • Ensure MDM or mobile security tooling can report jailbreak/integrity posture and relevant security anomalies.
  • Define IR playbooks for suspicious iOS integrity plus restricted-access-event correlation, including device isolation or access review decisions where appropriate.
  • Use conditional access and identity controls to reduce risk from devices with questionable integrity posture.
  • Preserve mobile telemetry needed for compliance evidence and incident reconstruction, especially for privileged or executive users.
Analyst notes and limits

This object is a detection analytic, not a technique description. The useful defensive takeaway is to validate whether iOS process-enumeration-like attempts are observable only when combined with integrity compromise indicators and repeated restricted-access anomalies. Relationship context is not supplied, so no related technique, campaign, malware, or actor conclusions should be inferred.

Official detection content is not provided, tactics are unspecified, and no relationships are supplied. Coverage depends heavily on local iOS telemetry, MDM/mobile security capabilities, logging retention, and the ability to correlate device integrity with app and network behavior.

Official MITRE ATT&CK definition

Analytic 1805

Defender observes signals consistent with attempted process listing on iOS where modern OS protections generally prevent broad process enumeration for non-root apps. Detections therefore focus on: (1) feasibility gating via integrity/jailbreak posture, and (2) observable security/log anomalies consistent with attempts to query process tables or restricted system interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private frameworks). Correlate integrity compromise indicators with repeated restricted-access events and optional follow-on behaviors (rapid targeting of specific bundles/services or immediate network beacons) to raise confidence that process discovery is occurring.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
9e1f4c856db8b4d1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 9e1f4c856db8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1805
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use