ATT&CK v14.0 Mobile

2023-10-31 08:49:03 -05:00
parent 24b36b4a2c
commit 0baf21a49e
1849 changed files with 41970 additions and 29195 deletions
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--fe970af0-3ca3-48ea-bade-be2e7d8567a6",
+    "id": "bundle--e85c66c5-8bcd-4883-8580-d0d9614e36d3",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--d0544880-3945-421e-8d41-0ba7e91c8e2f",
+    "id": "bundle--e9c27b76-8709-45b7-8db7-99fdb7886e2c",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--8c6a358b-cd1e-4201-b041-36f95c717065",
+    "id": "bundle--4ae4e713-ba03-4f3e-93cd-400cb27ba358",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--6c9a56bc-e25c-42cb-b0e7-7da8b78c3cdf",
+    "id": "bundle--3cf33301-a32d-4159-963c-b59a92dfb4b0",
    "spec_version": "2.0",
    "objects": [
        {
@@ -0,0 +1,46 @@
+{
+    "type": "bundle",
+    "id": "bundle--9ef9a369-44ab-4cf2-8a74-1feaee836d9d",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2023-09-25T19:53:07.406Z",
+            "name": "Remote Access Software",
+            "description": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices.  \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.  ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
+            "type": "attack-pattern",
+            "id": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
+            "created": "2023-09-25T19:53:07.406Z",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1663",
+                    "external_id": "T1663"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_attack_spec_version": "3.1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--9922d725-ab3d-481a-81e9-a1f4c77e76e0",
+    "id": "bundle--9c697892-3654-4683-80fd-db059d729662",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--1d7b0740-0d62-4d60-b8af-d501c7348fe2",
+    "id": "bundle--a454be41-df65-4a25-ac78-33463c12a8fb",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--8c316efa-bb21-4ef7-b06f-714a686784e4",
+    "id": "bundle--3efd7a08-d3b2-4fce-ac21-fd21b918ee1a",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--f0a355c2-bc4a-45d8-95c5-2ec32b7043bf",
+    "id": "bundle--bf77aefb-91b9-4880-8671-14a52ef16d6e",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--33d18949-c530-4b89-96ae-438a81a5ddd4",
+    "id": "bundle--dd34bbf1-20b3-4d10-b28a-774b5195d0f0",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--bbaad56f-2fb0-4040-b993-388e783e3381",
+    "id": "bundle--419fe3bf-1689-4ad8-8381-c0a4a1afd213",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T18:41:45.256Z",
+            "modified": "2023-08-15T15:06:03.427Z",
            "name": "Impersonate SS7 Nodes",
            "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
            "kill_chain_phases": [
@@ -47,7 +47,7 @@
                {
                    "source_name": "CSRIC5-WG10-FinalReport",
                    "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
-                    "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
+                    "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
                },
                {
                    "source_name": "CSRIC-WG1-FinalReport",
@@ -0,0 +1,60 @@
+{
+    "type": "bundle",
+    "id": "bundle--8b800248-8d72-40e4-b4da-7329e0392dc3",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2023-09-08T18:15:15.902Z",
+            "name": "Match Legitimate Name or Location",
+            "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_contributors": [
+                "Ford Qin, Trend Micro",
+                "Liran Ravich, CardinalOps"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
+            "type": "attack-pattern",
+            "id": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "created": "2023-07-12T20:45:14.704Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1655/001",
+                    "external_id": "T1655.001"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
+                    "external_id": "APP-14"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
+                    "external_id": "APP-31"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--306785f9-17d3-46dc-a4e4-bdf5b8919e54",
+    "id": "bundle--5a7db254-8e68-44f0-94b7-8c595e14d18a",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--f97cf624-ea91-4ce2-9c98-64119f34b550",
+    "id": "bundle--c56dd4ee-3c46-4c5b-b8fa-e88220ac93cd",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--f1fc12e5-588b-48ff-97f8-acf672089bc5",
+    "id": "bundle--654cf425-a24e-4d94-b7f6-ecfa99735ad6",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--dfe1199f-937e-44b1-b741-34dc24e55f39",
+    "id": "bundle--98b9388f-9fd7-4883-ad93-2ab8d5a27fed",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--b373a8d1-e263-4132-aabe-b45e3f98049f",
+    "id": "bundle--66f4a865-3737-46c4-83d7-09864cf47c08",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--a072dafb-5f0b-4bc8-a380-761a231eb271",
+    "id": "bundle--e2dd01ed-690f-43a2-bbb2-324f546ed46f",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--2c10842c-8b18-4447-9b16-9ca8105dd7c1",
+    "id": "bundle--a7c318fe-bb93-4b41-b0e5-2253b295254e",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--a1530391-b8dc-44c7-9446-89ee308d8797",
+    "id": "bundle--b2caf91e-baf9-4371-8780-aa52e1a31b90",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--a577afff-5bc8-48d9-a7b7-6960e78dc7cf",
+    "id": "bundle--fb73a65a-ea0e-4536-a6fd-4d5c7f5712fe",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--e3320dba-5a09-482a-9074-e04a99a89c79",
+    "id": "bundle--c949d5f7-96d8-4dfb-971f-7ee581bfa733",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--41678525-7554-432b-9448-d83257461c68",
+    "id": "bundle--6ac30371-9c1f-4994-b8cf-b503acea91f0",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--a84f6236-d4b3-4c88-a18a-c64a1d57df4b",
+    "id": "bundle--1bce58f4-4ddc-4f3f-8998-1fe8cc279601",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--4ccbcc03-cd6f-4f9f-9509-0ac44b46efbf",
+    "id": "bundle--dec51546-d0e8-4889-822b-217f7f038fe2",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--5bd5f78a-ca97-4f0c-ae12-875e27df8883",
+    "id": "bundle--107fb472-ca1c-48e5-9bff-e79149b89e58",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--9b5ba1f9-1270-4ac9-8daa-1862b7d7053e",
+    "id": "bundle--b9d96331-e782-4513-b761-a803047a8e42",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--ba00f8d2-3017-4fdd-9692-f4f7125e12bd",
+    "id": "bundle--690e2033-3c31-4377-8959-b320b6972c33",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--de75876b-4b73-4371-a4ba-cecda03cd3c6",
+    "id": "bundle--025ea13d-e5d5-43e2-bf0c-143316cab4c3",
    "spec_version": "2.0",
    "objects": [
        {
@@ -0,0 +1,67 @@
+{
+    "type": "bundle",
+    "id": "bundle--2e6e4126-d93b-4110-a786-47067632bbef",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2023-09-28T15:36:11.282Z",
+            "name": "Application Versioning",
+            "description": "An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)\n\nThis technique could also be accomplished by compromising a developer\u2019s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "initial-access"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_contributors": [
+                "Edward Stevens, BT Security",
+                "Adam Lichters"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ],
+            "type": "attack-pattern",
+            "id": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+            "created": "2023-09-21T22:16:38.002Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1661",
+                    "external_id": "T1661"
+                },
+                {
+                    "source_name": "android_app_breaking_bad",
+                    "description": "Stefanko, L. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved August 28, 2023.",
+                    "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html",
+                    "external_id": "SPC-20"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--abcb1e01-57be-4f32-9606-363d67531173",
+    "id": "bundle--bf8a42f8-3e87-4992-84de-aa263cf9cce6",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--535102c6-cbaa-4c5f-97e8-1dafb004c46e",
+    "id": "bundle--5182df3b-f585-446a-b954-597c42306fd8",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T15:16:19.547Z",
+            "modified": "2023-08-07T22:15:34.693Z",
            "name": "Command and Scripting Interpreter",
            "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ",
            "kill_chain_phases": [
@@ -23,7 +23,7 @@
                "Android",
                "iOS"
            ],
-            "x_mitre_version": "1.1",
+            "x_mitre_version": "1.2",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--a3fe9a28-0422-4602-b6eb-7b939d99848a",
+    "id": "bundle--3f91f4b0-0b49-467d-a0de-1abf32693a4f",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--499d81c3-c10a-4402-9be2-5fc04bff5654",
+    "id": "bundle--32cac775-da6a-4b5a-aecc-2e204c14f618",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T18:43:44.687Z",
+            "modified": "2023-08-14T16:21:05.728Z",
            "name": "Ingress Tool Transfer",
            "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel  or through alternate protocols with another tool such as FTP.",
            "kill_chain_phases": [
@@ -23,7 +23,7 @@
                "Android",
                "iOS"
            ],
-            "x_mitre_version": "2.1",
+            "x_mitre_version": "2.2",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
@@ -1,53 +1,53 @@
 {
    "type": "bundle",
-    "id": "bundle--072baa3c-d82d-4553-b4ce-288cca6f31c7",
+    "id": "bundle--9004d3d2-736a-439a-ab28-ea5d185b5762",
    "spec_version": "2.0",
    "objects": [
        {
+            "modified": "2023-08-14T16:19:34.225Z",
+            "name": "Dynamic Resolution",
+            "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
            "created": "2022-04-05T19:57:15.734Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
-                    "external_id": "T1637",
-                    "url": "https://attack.mitre.org/techniques/T1637"
+                    "url": "https://attack.mitre.org/techniques/T1637",
+                    "external_id": "T1637"
                },
                {
                    "source_name": "Data Driven Security DGA",
-                    "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/",
-                    "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019."
+                    "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+                    "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
                }
            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
-            "modified": "2022-04-05T19:57:15.734Z",
-            "name": "Dynamic Resolution",
-            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.",
-            "kill_chain_phases": [
-                {
-                    "phase_name": "command-and-control",
-                    "kill_chain_name": "mitre-mobile-attack"
-                }
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--0f177646-b457-40d7-8319-45a4e3260711",
+    "id": "bundle--99418594-613f-4159-9c17-339a88f47122",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--d64dd489-ad2a-4e58-9b1b-70557f581651",
+    "id": "bundle--6b15f81a-533a-43bd-b0a6-46361fe9ecf2",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--bb39b3e3-09e3-4a90-a096-b2397cf8e76d",
+    "id": "bundle--5a844a07-cf61-467c-92e9-af98132da0a8",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,53 +1,53 @@
 {
    "type": "bundle",
-    "id": "bundle--6b1b8127-400d-45f9-85f4-946706fab667",
+    "id": "bundle--5df9acbb-d982-49f0-82cb-7fcb2f2575e6",
    "spec_version": "2.0",
    "objects": [
        {
+            "modified": "2023-08-14T16:41:52.000Z",
+            "name": "Exfiltration Over C2 Channel",
+            "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "exfiltration"
+                }
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
            "created": "2022-04-01T15:43:45.913Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
-                    "external_id": "T1646",
-                    "url": "https://attack.mitre.org/techniques/T1646"
+                    "url": "https://attack.mitre.org/techniques/T1646",
+                    "external_id": "T1646"
                },
                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
                    "external_id": "APP-29"
                }
            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
-            "modified": "2022-04-08T16:25:44.552Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "name": "Exfiltration Over C2 Channel",
-            "x_mitre_detection": "Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "kill_chain_phases": [
-                {
-                    "phase_name": "exfiltration",
-                    "kill_chain_name": "mitre-mobile-attack"
-                }
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
@@ -1,12 +1,12 @@
 {
    "type": "bundle",
-    "id": "bundle--747e06fb-5a1d-4c83-9a58-883cef87ee6b",
+    "id": "bundle--620ab985-f7c4-4d76-8d09-a2ec4d878c9d",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T18:49:53.301Z",
+            "modified": "2023-09-08T19:20:13.836Z",
            "name": "Exploitation for Privilege Escalation",
-            "description": "Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ",
+            "description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--13bb4ad6-7ab7-4e72-8093-1671dd1697ae",
+    "id": "bundle--c34baf16-f168-4193-b53d-5d31712872ae",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-16T18:31:37.189Z",
+            "modified": "2023-08-10T21:57:52.009Z",
            "name": "Call Control",
            "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.",
            "kill_chain_phases": [
@@ -33,7 +33,7 @@
            "x_mitre_platforms": [
                "Android"
            ],
-            "x_mitre_version": "1.1",
+            "x_mitre_version": "1.2",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
@@ -1,53 +1,53 @@
 {
    "type": "bundle",
-    "id": "bundle--c3772b48-78cf-455b-98b8-7e32b8a36d47",
+    "id": "bundle--15dd12a9-2398-4f37-955a-fd5782ab3bec",
    "spec_version": "2.0",
    "objects": [
        {
+            "modified": "2023-08-14T16:40:40.166Z",
+            "name": "Exfiltration Over Unencrypted Non-C2 Protocol",
+            "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "exfiltration"
+                }
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
            "created": "2022-04-06T13:22:57.683Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
-                    "external_id": "T1639.001",
-                    "url": "https://attack.mitre.org/techniques/T1639/001"
+                    "url": "https://attack.mitre.org/techniques/T1639/001",
+                    "external_id": "T1639.001"
                },
                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
                    "external_id": "APP-30"
                }
            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
-            "modified": "2022-04-06T13:23:10.087Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "name": "Exfiltration Over Unencrypted Non-C2 Protocol",
-            "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "kill_chain_phases": [
-                {
-                    "phase_name": "exfiltration",
-                    "kill_chain_name": "mitre-mobile-attack"
-                }
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--30e2a6c9-a3c5-429c-aaa8-edc6e64af1ff",
+    "id": "bundle--b3dd4d9b-8146-4222-aa3f-6841452d9b20",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--72b54946-3c9d-479e-8d3d-56dac8ab37dd",
+    "id": "bundle--f71622d4-3d62-4d3a-bb5a-43296238cad8",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--03b172d0-b763-4fd9-928a-b9e77b2faf0c",
+    "id": "bundle--62a7e7d2-bc92-4f4a-850a-da432771489f",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--2e8fc769-2a3a-4f1c-9315-a3531d4d215b",
+    "id": "bundle--8093336d-1d73-4356-bd2f-bf689dd11ee2",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--711dac91-c675-4d46-82b9-58352938850a",
+    "id": "bundle--0dc070ad-97d7-46fb-b22c-cc63cb3d3c9a",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--4af85987-f026-4f22-93fb-c69fbf612d1f",
+    "id": "bundle--eeadbafd-d7cf-486a-8b2a-ec65859da1b3",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,53 +1,53 @@
 {
    "type": "bundle",
-    "id": "bundle--c15e415b-3faa-4629-ab16-cf7b7eb0a0d3",
+    "id": "bundle--fb4d88b6-24a1-4c4b-82e3-4775e1cef050",
    "spec_version": "2.0",
    "objects": [
        {
+            "modified": "2023-08-14T16:39:22.707Z",
+            "name": "Exfiltration Over Alternative Protocol",
+            "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "exfiltration"
+                }
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d",
            "created": "2022-04-06T13:19:33.785Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
-                    "external_id": "T1639",
-                    "url": "https://attack.mitre.org/techniques/T1639"
+                    "url": "https://attack.mitre.org/techniques/T1639",
+                    "external_id": "T1639"
                },
                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
                    "external_id": "APP-30"
                }
            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ",
-            "modified": "2022-04-29T17:29:00.038Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "name": "Exfiltration Over Alternative Protocol",
-            "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "kill_chain_phases": [
-                {
-                    "phase_name": "exfiltration",
-                    "kill_chain_name": "mitre-mobile-attack"
-                }
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--c344b53e-edd5-41ae-9969-5ae74cdf6e9d",
+    "id": "bundle--0dd4aea4-1fc9-45ed-84cc-304bf7c21626",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--50ec704b-6666-4888-91bb-fc0b35b48313",
+    "id": "bundle--880f306c-4ed1-4b7c-9a43-553982d11c59",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--2c92a035-b376-4916-9a8e-a6be05d0ad78",
+    "id": "bundle--f5bf4f56-8156-4ca6-8c7e-e1d098c7545e",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--3f75ef21-2ca3-4e52-bc2a-c39b26f6d60e",
+    "id": "bundle--fb75455c-ef59-4689-9a65-741650c691d0",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--9b027c7d-ffd3-490f-a683-62853260ce2e",
+    "id": "bundle--d7b1ef7c-36f3-4413-ae66-288cbee74561",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--3c0ecefe-47c9-48f0-83dc-bfc47c10c940",
+    "id": "bundle--662888de-1e2a-40a1-8a2e-25901ec589c8",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--068b5f5d-8a4f-401a-8b73-bf99bfd104c8",
+    "id": "bundle--4bf98011-bae5-4158-b858-28d93b289b61",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--5a524082-c610-4933-84f3-1108001e862d",
+    "id": "bundle--d85ac3e5-620a-4161-b5f7-17c9d83e2df5",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--869382e9-f57d-49f3-b3ab-0ebd9e39a63c",
+    "id": "bundle--d367b7f6-a602-4f2f-8cc0-6af5c53e1d42",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--c601fc44-69c8-4116-a10f-ff47930af628",
+    "id": "bundle--9d8ab387-7af3-4d20-ae0d-860e06b71f03",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--7874bcb4-393d-437a-b1d6-b5f10197bec4",
+    "id": "bundle--c8b5383a-af55-4af1-bf7f-930b81ef6b2c",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--fa2033d6-3bec-4aef-9f3c-5e5dd3b7e4cd",
+    "id": "bundle--6dc8c19d-956c-42e1-8523-df78483206e7",
    "spec_version": "2.0",
    "objects": [
        {
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--1995bfed-698b-41b4-8c52-ecfc1706c9db",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2023-09-28T17:02:58.893Z",
+            "name": "Exploitation for Client Execution",
+            "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. \n\nAdversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. \n\n### SMS/iMessage Delivery  \n\nSMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. \n\n### AirDrop \n\nUnique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.  ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "execution"
+                }
+            ],
+            "x_mitre_contributors": [
+                "Giorgi Gurgenidze, ISAC"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ],
+            "type": "attack-pattern",
+            "id": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+            "created": "2023-08-23T22:13:27.313Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1658",
+                    "external_id": "T1658"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--00ba31b8-1dba-49c2-9223-4e4eb1260369",
+    "id": "bundle--ce7a1a3f-9d4e-4e9b-bb5f-af338f90c2d4",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--d668b9e7-2ecd-4d20-a1fe-9ef47a368e4c",
+    "id": "bundle--0b5bc4f8-628c-4ce9-ab6f-fccf8f039181",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--2c72f9bc-1b57-4ff1-ac0f-752cf51a4c7d",
+    "id": "bundle--a71ba685-6c20-4eca-9c62-18d24f37d63d",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--2c9754ff-99f0-443e-a86e-a79baa04973f",
+    "id": "bundle--3d49b00d-8f16-4376-b2a9-52e569c1f209",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--e04e05b0-879a-4dc6-8f34-c3660ee16ae8",
+    "id": "bundle--f30a039f-6ac9-4528-8031-205fd65aea6d",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,92 +1,92 @@
 {
    "type": "bundle",
-    "id": "bundle--8185466b-cd0c-4b69-980b-7945622a30ce",
+    "id": "bundle--3c7d48b2-a48b-494b-a1fa-c97a55cd44a1",
    "spec_version": "2.0",
    "objects": [
        {
+            "modified": "2023-08-07T17:13:04.396Z",
+            "name": "Replication Through Removable Media",
+            "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "initial-access"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "lateral-movement"
+                }
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
            "created": "2017-10-25T14:48:23.233Z",
-            "x_mitre_version": "2.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
-                    "external_id": "T1458",
-                    "url": "https://attack.mitre.org/techniques/T1458"
+                    "url": "https://attack.mitre.org/techniques/T1458",
+                    "external_id": "T1458"
                },
                {
                    "source_name": "Krebs-JuiceJacking",
-                    "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/",
-                    "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016."
+                    "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.",
+                    "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/"
                },
                {
                    "source_name": "GoogleProjectZero-OATmeal",
-                    "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html",
-                    "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018."
+                    "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.",
+                    "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html"
                },
                {
                    "source_name": "Lau-Mactans",
-                    "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf",
-                    "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016."
+                    "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.",
+                    "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf"
                },
                {
                    "source_name": "Computerworld-iPhoneCracking",
-                    "url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html",
-                    "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved September 21, 2018."
+                    "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved September 21, 2018.",
+                    "url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html"
                },
                {
                    "source_name": "IBM-NexusUSB",
-                    "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/",
-                    "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017."
+                    "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.",
+                    "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"
                },
                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html",
                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html",
                    "external_id": "PHY-1"
                },
                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
                    "external_id": "PHY-2"
                },
                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html",
                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html",
                    "external_id": "STA-6"
                }
            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ",
-            "modified": "2022-04-08T15:53:11.864Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "name": "Replication Through Removable Media",
-            "x_mitre_detection": "",
-            "kill_chain_phases": [
-                {
-                    "phase_name": "initial-access",
-                    "kill_chain_name": "mitre-mobile-attack"
-                },
-                {
-                    "phase_name": "lateral-movement",
-                    "kill_chain_name": "mitre-mobile-attack"
-                }
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--589484b8-8d61-442e-bef7-fbb3a9311131",
+    "id": "bundle--4a67a0a9-df57-4add-9ad3-24dbb25c51bf",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--177e4394-2b22-4420-b6c4-d12df8c33dca",
+    "id": "bundle--50f5ff5c-daa5-42da-89b8-65b35b9150e9",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--6028e15a-f8c2-4b13-a016-6c55698fe8da",
+    "id": "bundle--2ba4efd0-68f4-443b-82e2-107dcc82624c",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T18:41:18.389Z",
+            "modified": "2023-08-07T22:48:30.418Z",
            "name": "Unix Shell",
            "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.  ",
            "kill_chain_phases": [
@@ -23,7 +23,7 @@
                "Android",
                "iOS"
            ],
-            "x_mitre_version": "1.1",
+            "x_mitre_version": "1.2",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--e4c9fa20-efc7-41f7-86d4-e44de9d2a27f",
+    "id": "bundle--905be0f1-287b-4cef-aa0c-0b9aef3ab6da",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--95ef1e11-0287-42e1-9a3a-249793a11aef",
+    "id": "bundle--ebd13b09-75d0-4e0a-894c-0eca4aac3beb",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--353f142f-79a9-45cf-9324-359f0695a313",
+    "id": "bundle--88931d90-e761-45ad-aa25-b45f39a4a615",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T18:21:59.494Z",
+            "modified": "2023-08-08T16:23:41.271Z",
            "name": "Download New Code at Runtime",
            "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
            "kill_chain_phases": [
@@ -23,7 +23,7 @@
                "Android",
                "iOS"
            ],
-            "x_mitre_version": "1.4",
+            "x_mitre_version": "1.5",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--5f283ecd-9ed4-4c0c-a229-0f6eec016483",
+    "id": "bundle--9c6f1342-6053-4f79-8100-fc1511869164",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--a0995a89-fd26-4ca5-a7ce-15ee2a7c1b24",
+    "id": "bundle--b469bd99-222e-4cc8-bd43-731f458ef270",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--81a94fb4-b76e-427e-9650-dbd4e22ec565",
+    "id": "bundle--6e5b1853-a595-4b04-8e12-00b4ae87d478",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--6b6d8958-c145-4ee1-b7b8-72e66fd69463",
+    "id": "bundle--4a2dd755-8ea0-4026-b9c4-f70cb02dcf83",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--e57b0263-d91e-44a2-965c-ec0bff2f3d02",
+    "id": "bundle--af9bb367-e1ae-46c5-b3b9-4c86faf31b09",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--3abe3859-72d9-42f2-8189-fc7550ce73ad",
+    "id": "bundle--3c14a18d-2b96-4b9c-8c21-661edc8cd07c",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--34ce7135-5070-4baf-a62b-60580faf6a69",
+    "id": "bundle--1d391c96-acc4-423d-8e76-16414de96e69",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--b5d1f2b9-c39f-4461-88b9-709ecc1364b9",
+    "id": "bundle--5e4cb734-bf52-4cc8-b8bb-51a7e516087f",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--ae7e3bbf-dc29-4671-8f86-7f51c99e360b",
+    "id": "bundle--fe61137a-f545-4632-a970-e50634338007",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--e84098c4-1f25-4d12-89a6-497700ecf566",
+    "id": "bundle--b1487b7c-da5d-4f7f-99fa-7761fb23c4ec",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--46831905-767b-4bd6-9a43-5a13a5a77979",
+    "id": "bundle--54557e26-78fb-4f89-b947-77abd3b1717d",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--38e4df58-d165-45a2-8c1b-6fc4f74b26e2",
+    "id": "bundle--800c5bfb-aa76-430c-b3bd-130d5dd59f7f",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--99526fbd-1faa-4954-b583-69f08029ea29",
+    "id": "bundle--22a0c446-ab31-4921-bed8-4ea50cbea3ca",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--f94db3be-2ae7-403b-94ea-6a7d5ddc1b92",
+    "id": "bundle--6834b6f8-c7e9-47c9-9605-d803c1de5ed3",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--b02bf35e-b16e-4d01-8cd3-8cd44d16a581",
+    "id": "bundle--e7ad3f6f-1f81-46a0-b0ba-f68f1828554e",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--65aab7a7-ba96-422b-84a8-37f5c5b45f63",
+    "id": "bundle--84da80a5-ec31-4560-8ac4-cda7346b1419",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--b8c26e6e-d1e0-4103-9085-ac664ec930d9",
+    "id": "bundle--556dc158-ecaa-4f0b-8c1f-f0f68e81bb8d",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--72f58244-881f-4ea1-8b41-ceffd77ab217",
+    "id": "bundle--8fd30592-6273-4d8d-8840-c0e03fea0642",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--9224ff18-c785-4f06-9ce9-d82f763e2dc3",
+    "id": "bundle--a787f077-cde0-49c0-95e2-22e9ecf9610d",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--8bb97d20-ab93-41ad-9962-fe0ad404c969",
+    "id": "bundle--0e631253-5889-464c-9d8a-1820e629760a",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--566840bf-5cce-4b63-afdb-316516951088",
+    "id": "bundle--c0f58a40-8dfb-40d0-82b7-e662944b9452",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--4265e351-99be-46c2-a5c0-77608f8f7cce",
+    "id": "bundle--396f2e20-cd3a-41dd-9c23-c29c79d42553",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--2d251495-b6de-4b46-a3a8-8638c9e5544b",
+    "id": "bundle--b52e8c3b-7edb-46f1-9518-50a4296a4a81",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-16T13:32:55.266Z",
+            "modified": "2023-08-14T16:34:55.968Z",
            "name": "Bidirectional Communication",
            "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
            "kill_chain_phases": [
@@ -23,7 +23,7 @@
                "Android",
                "iOS"
            ],
-            "x_mitre_version": "1.1",
+            "x_mitre_version": "1.2",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
@@ -1,12 +1,12 @@
 {
    "type": "bundle",
-    "id": "bundle--88fc80dc-59ea-4004-ae7a-69e4a76376b8",
+    "id": "bundle--24671fbe-11c3-4924-8cd9-fd7cd570127c",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T18:51:58.228Z",
+            "modified": "2023-09-08T19:21:40.736Z",
            "name": "Non-Standard Port",
-            "description": "Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
+            "description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
@@ -1,6 +1,6 @@
 {
    "type": "bundle",
-    "id": "bundle--9033a6b3-2ee7-4493-b51f-ae88ae9621c4",
+    "id": "bundle--e1e3a3e7-c044-4fb6-bc27-23244a94e259",
    "spec_version": "2.0",
    "objects": [
        {
@@ -1,10 +1,10 @@
 {
    "type": "bundle",
-    "id": "bundle--475a4bb8-d63f-4ad0-9c68-f386024a0843",
+    "id": "bundle--c05012bf-0613-4391-b16f-5dba34e8ad63",
    "spec_version": "2.0",
    "objects": [
        {
-            "modified": "2023-03-20T15:56:04.790Z",
+            "modified": "2023-08-14T16:33:56.861Z",
            "name": "Dead Drop Resolver",
            "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ",
            "kill_chain_phases": [
@@ -23,7 +23,7 @@
                "Android",
                "iOS"
            ],
-            "x_mitre_version": "1.1",
+            "x_mitre_version": "1.2",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
--- a/Show More
+++ b/Show More