Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0654: Detection of Boot or Logon Initialization Scripts

This detection strategy is intended to help identify mobile persistence through boot or logon initialization scripts. The business significance is that per...

MobileDET0654Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is intended to help identify mobile persistence through boot or logon initialization scripts. The business significance is that persistence can let an adversary survive device restarts and continue access on Android or iOS devices, but ATT&CK provides no official detection logic or description for DET0654. Leaders should treat this as a coverage validation prompt rather than an out-of-the-box analytic.

Executive priority

Prioritize this where mobile devices support sensitive operations, privileged access, executive communications, regulated data, or operational workflows. The key management question is whether the organization can prove it would notice suspicious boot/logon persistence on rooted or jailbroken Android or iOS devices, and whether mobile security, incident response, and compliance evidence cover that scenario.

Technical view

DET0654 detects ATT&CK technique T1398, Boot or Logon Initialization Scripts, in the mobile domain. The related technique states that initialization scripts are part of the underlying operating system and are not normally accessible to the user unless the device is rooted or jailbroken. SOC and IR teams should validate whether mobile telemetry can identify rooted/jailbroken state, abnormal changes to OS initialization locations, and persistence-related activity around device boot or user logon. Because no official DET0654 detection text is supplied, analytic design must be based on local mobile telemetry and the related T1398 behavior.

Likely telemetry

  • Mobile device management or mobile threat defense posture data for Android and iOS devices
  • Root or jailbreak detection signals
  • Device compliance state and security posture changes
  • File integrity or system modification evidence where available on managed mobile devices
  • Boot, restart, enrollment, and user logon-related device events where available

Detection direction

  • Validate that mobile security tooling can surface rooted or jailbroken devices, because the related technique notes initialization scripts are not normally user-accessible unless that condition exists.
  • Confirm whether Android and iOS fleets produce usable evidence around boot/logon initialization changes; do not assume endpoint-style visibility exists on mobile platforms.
  • Tune detections to distinguish legitimate administrative or system state changes from suspicious persistence indicators, especially after OS updates, device enrollment changes, or security tool remediation.
  • Use the T1398 relationship to scope testing: persistence via boot or logon initialization scripts on Android and iOS, not general desktop startup-script behavior.
  • Document gaps explicitly where mobile platform restrictions prevent direct file or initialization-script monitoring.

Mitigation priorities

  • Maintain mobile device compliance controls that flag or restrict rooted and jailbroken devices.
  • Ensure managed mobile devices are enrolled in controls capable of reporting security posture and device integrity state.
  • Define IR procedures for suspected mobile persistence, including isolation, evidence preservation, and re-provisioning decisions.
  • Use mobile risk findings as compliance evidence for device integrity monitoring where mobile devices access sensitive systems.
  • Review privileged mobile access and sensitive app access so persistence on one device does not automatically translate into broader business impact.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with external ID DET0654 and has no official description, official detection text, tactics, or platforms listed directly on the object. The only behavioral context supplied is its relationship to T1398, Boot or Logon Initialization Scripts, in the mobile ATT&CK domain, with related platforms Android and iOS.

This take is constrained by sparse official fields. It does not assert active exploitation, attribution, detection efficacy, or specific telemetry availability. Local mobile management architecture, OS version, device ownership model, and security tooling determine whether the suggested evidence classes are actually collectible.

Official MITRE ATT&CK definition

Detection of Boot or Logon Initialization Scripts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1398 Boot or Logon Initialization Scripts This object detects Boot or Logon Initialization Scripts.
Relationship explorer

All related ATT&CK context

detects · Technique T1398: Boot or Logon Initialization Scripts Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b6b8e18ab16c11d8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b6b8e18ab16c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0654
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use