ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary



Evade Analysis Environment

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.Adversaries may access android.os.SystemProperties via Java reflection to obtain specific system information.Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes


ID编号: T1523

战术类型: 事后访问设备

策略: 绕过防御,披露

平台: Android,iOS


名称 描述
Rotexy(S0411) Rotexy(S0411)检查它是否在分析环境中运行。
Name Description
Rotexy(S0411) Rotexy(S0411)checks if it is running in an analysis environment


缓解 描述
应用审查(M1005) 尝试获取android.os.SystemPropertiesgetprop使用运行时exec()命令的应用程序应仔细检查。Google不建议在应用程序中使用系统属性。
Mitigation Description
Application Vetting(M1005) Applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands should be closely scrutinized. Google does not recommend the use of system properties within applications.



Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.