diff --git a/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json b/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json
index 92ce5e494a..b0d52dfedc 100644
--- a/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--51a96195-406c-4369-85b1-c01bacd1299c",
+ "id": "bundle--b9a24c99-a7c0-4b31-8658-fb17757bbcc5",
"spec_version": "2.0",
"objects": [
{
@@ -8,27 +8,28 @@
"id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
"created": "2020-11-04T16:43:31.619Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1603",
"external_id": "T1603"
},
- {
- "source_name": "Android WorkManager",
- "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.",
- "url": "https://developer.android.com/topic/libraries/architecture/workmanager"
- },
{
"source_name": "Apple NSBackgroundActivityScheduler",
"description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.",
"url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler"
+ },
+ {
+ "source_name": "Android WorkManager",
+ "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.",
+ "url": "https://developer.android.com/topic/libraries/architecture/workmanager"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:26.617Z",
+ "modified": "2025-10-24T17:48:18.936Z",
"name": "Scheduled Task/Job",
"description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)",
"kill_chain_phases": [
@@ -41,12 +42,12 @@
"phase_name": "persistence"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Lorin Wu, Trend Micro"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json b/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json
index e732b577fd..fb6f6efd88 100644
--- a/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json
+++ b/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f3f6b6d5-b99c-4576-9c4f-3cbd225a053b",
+ "id": "bundle--d8e69099-0094-4da6-bee9-85cb8ad00f00",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:35.582Z",
+ "modified": "2025-10-24T17:48:20.267Z",
"name": "Code Injection",
"description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n",
"kill_chain_phases": [
@@ -53,7 +53,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json b/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json
index 5bbd02c11c..ee34c9ef7d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json
+++ b/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--d0e94233-4538-442d-9d99-92af56f6524a",
+ "id": "bundle--e6130947-8929-4522-bd36-6aaffd83d205",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-02-07T18:10:46.887Z",
- "name": "Adversary-in-the-Middle",
- "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "2.2",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
"created": "2022-04-05T20:11:08.894Z",
@@ -87,8 +64,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:21.401Z",
+ "name": "Adversary-in-the-Middle",
+ "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "2.2",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json b/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json
index 68b68dfac5..a92847fda2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e043a6b9-15b4-4fe8-951b-d5934fe56303",
+ "id": "bundle--489a61cc-6050-4d9d-98dc-fc326410ce65",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:43.814Z",
+ "modified": "2025-10-24T17:48:21.493Z",
"name": "Abuse Elevation Control Mechanism",
"description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json b/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json
index 58e1d2af50..63f6f4ac63 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--77d954ea-653a-4932-aac5-d2044d08d3a3",
+ "id": "bundle--97a3ff6e-34e0-41e4-84b0-cdf19bc1dec6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json b/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json
deleted file mode 100644
index 76c63c4921..0000000000
--- a/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json
+++ /dev/null
@@ -1,46 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--aa214418-46bf-4be8-b565-54ad0ee7f363",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "attack-pattern",
- "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
- "created": "2017-10-25T14:48:08.155Z",
- "revoked": true,
- "external_references": [
- {
- "source_name": "mitre-mobile-attack",
- "url": "https://attack.mitre.org/techniques/T1454",
- "external_id": "T1454"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-25T15:16:27.255Z",
- "name": "Malicious SMS Message",
- "description": "Test",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Android"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ]
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json b/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
index 714f650b2a..6ea1dfe045 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3ca9a3de-a447-45b9-8400-9e89dfd738d8",
+ "id": "bundle--932bc703-242c-4fec-b912-f28112397b84",
"spec_version": "2.0",
"objects": [
{
@@ -39,7 +39,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:35.994Z",
+ "modified": "2025-10-24T17:48:22.923Z",
"name": "Obtain Device Cloud Backups",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
"kill_chain_phases": [
@@ -50,7 +50,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json b/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json
index d341720143..5178983d1c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--99273979-078d-4af5-b126-0fd4372344d2",
+ "id": "bundle--63dc2355-4a16-4349-8ec9-6434a5c6fa82",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.210Z",
+ "modified": "2025-10-24T17:48:23.278Z",
"name": "Uninstall Malicious Application",
"description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json b/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json
index 5a6e6ddd84..9892328ef3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3df9eb2c-e7ee-47cb-bd69-3d15fbd3af9a",
+ "id": "bundle--4da9dfef-45ba-47d6-a84d-1a465a7cbcfa",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.391Z",
+ "modified": "2025-10-24T17:48:23.556Z",
"name": "Indicator Removal on Host",
"description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json b/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json
index 226be9f082..1dcc69455f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c2c492c1-455c-44e9-af82-a3bf6dac2de2",
+ "id": "bundle--645cd524-7529-4051-aac3-f7021ae58be6",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-11-17T13:32:52.029Z",
- "name": "Supply Chain Compromise",
- "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "2.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"created": "2018-10-17T00:14:20.652Z",
@@ -167,8 +144,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:23.643Z",
+ "name": "Supply Chain Compromise",
+ "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "initial-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "2.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json b/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json
index 76eb8e2eb9..6c0ea74a56 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--adc93276-f8ed-4489-8872-106a9e1b373a",
+ "id": "bundle--3ea64bf2-3508-4ca1-8921-da967eeda36d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2025-01-21T16:22:43.947Z",
- "name": "Impersonate SS7 Nodes",
- "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
"created": "2022-04-05T19:49:58.938Z",
@@ -77,8 +53,32 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:24.309Z",
+ "name": "Impersonate SS7 Nodes",
+ "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "discovery"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json b/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json
index 1b770cf161..0387f92ffd 100644
--- a/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a5d36ffd-ecab-4480-9695-e322c558dffa",
+ "id": "bundle--2694046f-b76d-48e9-947c-af2eb3c17ece",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json b/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
index f349535a11..1d30c6d66f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
+++ b/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50571c48-f515-43aa-b52e-007f00dda6d6",
+ "id": "bundle--ca5c379d-4be2-48f6-9dfe-6d781eacc406",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:27.908Z",
+ "modified": "2025-10-24T17:48:25.548Z",
"name": "Insecure Third-Party Libraries",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json b/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json
index 3db2f51d14..aee80dd515 100644
--- a/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26e4e6c3-04cb-40b9-b6ed-64a828067933",
+ "id": "bundle--0dbce179-855b-486e-8204-f66012e8bcb9",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.829Z",
+ "modified": "2025-10-24T17:48:25.642Z",
"name": "Protected User Data",
"description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json b/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json
index 956b3e7746..e1325bc79f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json
+++ b/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--89f6c519-547d-47ce-a924-6562bd169979",
+ "id": "bundle--97763594-f82c-4121-ac99-39d29c899794",
"spec_version": "2.0",
"objects": [
{
@@ -18,7 +18,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.987Z",
+ "modified": "2025-10-24T17:48:26.898Z",
"name": "Asymmetric Cryptography",
"description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).",
"kill_chain_phases": [
@@ -29,7 +29,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json b/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
index 4048a48fd1..f052877401 100644
--- a/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e1fec25-02ea-41dd-be98-ff618681a31e",
+ "id": "bundle--a32ce865-86c1-4f75-8a0f-ce7cfd1d65d6",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.152Z",
+ "modified": "2025-10-24T17:48:27.789Z",
"name": "Software Discovery",
"description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json b/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
index 25014c4270..58730547bd 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--29f55549-32db-4659-9a54-f21b414ff1aa",
+ "id": "bundle--d8113551-aac7-4e5e-bf3a-34452df62a09",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.337Z",
+ "modified": "2025-10-24T17:48:28.244Z",
"name": "Process Discovery",
"description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json b/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json
index 34ef07ed6b..5597198109 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2de73dd6-ad1a-443c-aba5-c08a68e8f3ac",
+ "id": "bundle--bdbeace3-5e7f-448b-aef8-ec2a30602fee",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.503Z",
+ "modified": "2025-10-24T17:48:29.311Z",
"name": "Call Log",
"description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json b/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json
index bbc4ba91ce..8be647c509 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e0377146-02bd-4b0f-b90e-38265c5d9109",
+ "id": "bundle--d9fa51c5-4997-4e70-bf07-6f907d2c174a",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.687Z",
+ "modified": "2025-10-24T17:48:29.485Z",
"name": "Security Software Discovery",
"description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json b/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
index 76a1180373..d3a0bb8a4b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6e27845-b51c-4cae-9ed2-8651f62bd8e5",
+ "id": "bundle--b0ff9a20-f6c5-4cab-b9e7-ec36e3946754",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:28.664Z",
+ "modified": "2025-10-24T17:48:30.211Z",
"name": "App Delivered via Email Attachment",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json b/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
index 22e0fed4cb..277f4eb7b8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3cc5bf47-9c83-41a3-aa37-13f49804224f",
+ "id": "bundle--0fa6a848-9e77-46fe-adb6-cf4abe883d34",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.841Z",
+ "modified": "2025-10-24T17:48:30.394Z",
"name": "Ptrace System Calls",
"description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.",
"kill_chain_phases": [
@@ -49,7 +49,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json b/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json
index 253e9fa72f..74961207bc 100644
--- a/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8553cd28-71aa-4cd6-8196-8c2966818f40",
+ "id": "bundle--d75b477f-514d-48d8-b318-a16df1eb0516",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.996Z",
+ "modified": "2025-10-24T17:48:30.589Z",
"name": "Impair Defenses",
"description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json b/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
index af911c571b..3a4c8cba37 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26d8a0c3-fd0e-45f1-b974-95ea8771094d",
+ "id": "bundle--75c53808-a7cb-40c9-8298-c3c6e07cf0a1",
"spec_version": "2.0",
"objects": [
{
@@ -8,34 +8,30 @@
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"created": "2017-10-25T14:48:08.613Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"external_references": [
{
- "source_name": "mitre-mobile-attack",
+ "source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1453",
"external_id": "T1453"
},
{
- "source_name": "Skycure-Accessibility",
- "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
- "url": "https://www.skycure.com/blog/accessibility-clickjacking/"
+ "source_name": "Google_AndroidAcsOverview",
+ "description": "Google. (n.d.). Android accessibility overview. Retrieved April 17, 2025.",
+ "url": "https://support.google.com/accessibility/android/answer/6006564?hl=en&ref_topic=6007234&sjid=9936713164149272548-NA"
},
{
- "source_name": "android-trojan-steals-paypal-2fa",
- "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
- "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
- },
- {
- "source_name": "banking-trojans-google-play",
- "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019.",
- "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/"
+ "source_name": "SahinSRLabs_FluBot_Dec2021",
+ "description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.",
+ "url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:29.002Z",
+ "modified": "2025-10-27T17:12:01.143Z",
"name": "Abuse Accessibility Features",
- "description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)",
+ "description": "Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device\u2019s user interface, such as changing the font size and adjusting contract or colors.(Citation: Google_AndroidAcsOverview) \n\nOne example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) \n\nAnother example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) This method of attack is also described in [Keylogging](https://attack.mitre.org/techniques/T1417/001); whereas [Abuse Accessibility Features](https://attack.mitre.org/techniques/T1453) captures the overall abuse of accessibility features. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
@@ -44,21 +40,15 @@
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "impact"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
- "Luk\u00e1\u0161 \u0160tefanko, ESET"
+ "Luk\u00e1\u0161 \u0160tefanko, ESET",
+ "Liran Ravich, CardinalOps"
],
- "x_mitre_deprecated": true,
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -67,10 +57,7 @@
"x_mitre_platforms": [
"Android"
],
- "x_mitre_version": "2.0",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ]
+ "x_mitre_version": "3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json b/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
index 90d0d2c79a..70e401a2ed 100644
--- a/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a7850175-b3f4-4b53-8992-c7fb2b044c75",
+ "id": "bundle--54db90a6-9c76-40b5-84c8-b7e0064e14e0",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.157Z",
+ "modified": "2025-10-24T17:48:31.144Z",
"name": "Exploitation of Remote Services",
"description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json b/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json
index 05342bb46a..284e8a8da7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--99d1e0b1-0995-4e6c-a94d-be66ff9054c9",
+ "id": "bundle--9f495371-e3d5-49e7-88bc-d14b22b27739",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.363Z",
+ "modified": "2025-10-24T17:48:31.318Z",
"name": "Web Protocols",
"description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json b/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json
index b08ec79c44..132fbd687d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json
+++ b/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--abdc4627-4311-40b1-a845-a16de74c9183",
+ "id": "bundle--b6b3d600-1a81-4b61-9f0f-8bfb4eb31cab",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-12-26T19:17:13.294Z",
- "name": "Steal Application Access Token",
- "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "credential-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
"created": "2022-04-01T15:12:50.740Z",
@@ -67,8 +44,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:31.876Z",
+ "name": "Steal Application Access Token",
+ "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "credential-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json b/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json
index 8b8bab780e..952fdf47b0 100644
--- a/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json
+++ b/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18801b39-2dc8-4678-a737-33b1d0f1c61b",
+ "id": "bundle--cb40a25d-2495-434e-bfb8-ee7d4287790f",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.535Z",
+ "modified": "2025-10-24T17:48:32.337Z",
"name": "User Evasion",
"description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json b/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json
index 9be65c031c..295fd4168b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4f27fd0-8e9e-46fc-b5fd-f10e0a8f163f",
+ "id": "bundle--54454dc5-cfee-4aee-a421-b7eb84c009be",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.725Z",
+ "modified": "2025-10-24T17:48:32.877Z",
"name": "Virtualization/Sandbox Evasion",
"description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json b/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json
index 882b4a539a..cbc7e0c2b4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json
+++ b/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c6dd63a2-b13a-4a7f-8760-068b3f4471aa",
+ "id": "bundle--d13f6a91-d64e-4c0e-a88c-4ff571b4b001",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:36.750Z",
+ "modified": "2025-10-24T17:48:32.963Z",
"name": "Keychain",
"description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json b/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json
index 3b20e6029e..2d5c99d66f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json
+++ b/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4fac8897-9ac0-4c1b-af67-fcde00b5e9ad",
+ "id": "bundle--668e1c8a-32ff-46d1-b84b-4a731f2ff549",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json b/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
index f4ad255fa3..b97f165f6e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--03cf9378-9d70-4a3b-a9cc-2abb5ce1d4c2",
+ "id": "bundle--da2c5713-4c68-48dd-8c93-2033b1bd2145",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json b/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json
index 3a689fb163..7315f7eb1d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json
+++ b/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--64b02827-1e1c-4f6f-804d-e6c9628ca99b",
+ "id": "bundle--83013c73-701f-41bc-b70f-fa10a7ec4e5a",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.879Z",
+ "modified": "2025-10-24T17:48:33.677Z",
"name": "Command and Scripting Interpreter",
"description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json b/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json
index 5179679734..92e97ab611 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5c23d7ae-0a99-4630-b606-b7266799a1cc",
+ "id": "bundle--58cd1e10-9e1a-46dd-9bbd-19df38204f12",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.026Z",
+ "modified": "2025-10-24T17:48:33.763Z",
"name": "Disable or Modify Tools",
"description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view a list of active device administrators in the device settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json b/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json
index 6116b7e2b8..a01e59cc83 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df20b58f-cb0a-484b-b305-a3f37e074c9a",
+ "id": "bundle--8d2919c7-cd86-411f-9b17-9d43032dfc5a",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.175Z",
+ "modified": "2025-10-24T17:48:34.355Z",
"name": "Ingress Tool Transfer",
"description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json b/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json
index 2dc5d3b31b..71f938dcd4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6515534f-9326-4710-b557-4f7940d989bb",
+ "id": "bundle--44736e69-6c89-4c6d-bcac-5a63efb9619f",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.329Z",
+ "modified": "2025-10-24T17:48:34.706Z",
"name": "Dynamic Resolution",
"description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json b/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json
index a527dac5e9..ff71a2e1f7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6a50b72-a5b5-41f7-9768-7f7f8e725343",
+ "id": "bundle--2c9f3846-b49e-4351-b2d3-cfbdbd28a43e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json b/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
index e28c31a286..4997dac4d8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df7965a0-1293-4662-ab94-273f162cd519",
+ "id": "bundle--ccfa1a4e-327a-4f2e-b9f1-c4a714543851",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.481Z",
+ "modified": "2025-10-24T17:48:35.175Z",
"name": "Network Service Scanning",
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json b/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json
index 1081edbf0e..1390dbb5af 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6cf398ba-ecc9-408d-ad3d-854a3cff4a8e",
+ "id": "bundle--dc7938c9-4f26-4cfa-86c2-a89f8f1afb42",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:37.306Z",
+ "modified": "2025-10-24T17:48:35.718Z",
"name": "User Evasion",
"description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json b/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json
index 09f25f4b6d..28954ef8b4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bc308658-9036-4234-86a0-930fd3b9e6df",
+ "id": "bundle--4b049405-e874-4918-8dd0-be87aacc19db",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.650Z",
+ "modified": "2025-10-24T17:48:36.720Z",
"name": "Exfiltration Over C2 Channel",
"description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747.json b/mobile-attack/attack-pattern/attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747.json
new file mode 100644
index 0000000000..6a24881de0
--- /dev/null
+++ b/mobile-attack/attack-pattern/attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747.json
@@ -0,0 +1,54 @@
+{
+ "type": "bundle",
+ "id": "bundle--1661bf18-5f14-484a-82c5-bea790b9aa01",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "created": "2025-09-17T14:58:52.520Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1636/005",
+ "external_id": "T1636.005"
+ },
+ {
+ "source_name": "Android_AccountManager_Feb2025",
+ "description": "Android. (2025, February 13). AccountManager. Retrieved September 2, 2025.",
+ "url": "https://developer.android.com/reference/android/accounts/AccountManager"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-17T15:21:58.225Z",
+ "name": "Accounts",
+ "description": "Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the `getAccounts()` method to list all accounts.(Citation: Android_AccountManager_Feb2025) On iOS, this can be accomplished by using the Keychain services. \n\nIf the device has been jailbroken or rooted, adversaries may be able to access [Accounts](https://attack.mitre.org/techniques/T1636/005) without the users\u2019 knowledge or approval. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Google's Android Security team"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json b/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
index b12d8095e5..8013c659d8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
+++ b/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7cdd5187-af1f-46b2-a861-02b5227c5c72",
+ "id": "bundle--39e68a53-3a98-49db-ae2c-ec4ac9cd5df3",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.809Z",
+ "modified": "2025-10-24T17:48:38.088Z",
"name": "Exploitation for Privilege Escalation",
"description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json b/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json
index 8b201414b4..4a7954b4ce 100644
--- a/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json
+++ b/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dafcdebb-aaf2-4d1c-9ab4-a71896a3ec57",
+ "id": "bundle--6a6c2345-86eb-4ce8-833b-cc24fcb3076e",
"spec_version": "2.0",
"objects": [
{
@@ -44,7 +44,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.962Z",
+ "modified": "2025-10-24T17:48:38.183Z",
"name": "Call Control",
"description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.",
"kill_chain_phases": [
@@ -66,7 +66,7 @@
"Gaetan van Diemen, ThreatFabric"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json b/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json
index de15ec11ad..3d86aee0b7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json
+++ b/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9272923c-83da-466d-9017-e8bb40cc988c",
+ "id": "bundle--4048a2c7-ae0b-47c7-b712-316c24ef1ec5",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.130Z",
+ "modified": "2025-10-24T17:48:38.977Z",
"name": "Exfiltration Over Unencrypted Non-C2 Protocol",
"description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json b/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json
index 19c108c85f..05515aed47 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--445b9d16-a5b4-4243-9bba-c07904283858",
+ "id": "bundle--98737477-c6cf-4f27-9be7-d0ca0dd05ca6",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.286Z",
+ "modified": "2025-10-24T17:48:39.155Z",
"name": "Broadcast Receivers",
"description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ",
"kill_chain_phases": [
@@ -38,7 +38,7 @@
"Alex Hinchliffe, Palo Alto Networks"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json b/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
index b0f84cbd6c..2141aed183 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5928e5f8-123e-44fc-9e3a-8f42b9c7e084",
+ "id": "bundle--3468beeb-eebb-443e-a153-92f50a2f187f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json b/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
index c5f7554d7f..9a36a1b225 100644
--- a/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
+++ b/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6ff6943f-8dcf-4fcc-aff0-3587b193a572",
+ "id": "bundle--bef474b3-153c-45fe-9584-c60f82d3d7ea",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json b/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json
index 5f5262c7da..395a5e479b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d2a179d1-6f52-4bbe-b3ae-f288566947ac",
+ "id": "bundle--c9fa8552-df54-4d89-b3d0-b3ea8077d86d",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.448Z",
+ "modified": "2025-10-24T17:48:40.140Z",
"name": "Access Notifications",
"description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json b/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
index fa6706a4b9..aa6a1088e8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--74780307-e80d-4d62-b037-ba04200193f1",
+ "id": "bundle--96a7ee2f-98cd-4ed9-ad0c-ad4033cb67cf",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:37.855Z",
+ "modified": "2025-10-24T17:48:40.404Z",
"name": "Network Traffic Capture or Redirection",
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json b/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
index d14ab82391..0d3f3bba6b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e771c16c-894a-440d-8334-f9c6ce23b3dc",
+ "id": "bundle--a6f28086-9258-4dc1-a690-933b0c029531",
"spec_version": "2.0",
"objects": [
{
@@ -84,7 +84,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:38.043Z",
+ "modified": "2025-10-24T17:48:41.397Z",
"name": "Input Prompt",
"description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)",
"kill_chain_phases": [
@@ -95,7 +95,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json b/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json
index 7969c5a95d..ca53a00191 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28928059-16cd-4742-92be-f2573cdde669",
+ "id": "bundle--e320a6ac-57c4-4322-b846-d57e564d42ee",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.656Z",
+ "modified": "2025-10-24T17:48:41.491Z",
"name": "Exfiltration Over Alternative Protocol",
"description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json b/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json
index 6adf578226..91c0b6fd21 100644
--- a/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--06f060a1-6b02-42b4-b5f4-c8628256fb58",
+ "id": "bundle--9aaeb57b-3b60-4386-ba94-1612c8c09969",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json b/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
index 4292db002b..0e8f565f1c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
+++ b/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a71497c1-c70c-48c3-910a-37476d9fd463",
+ "id": "bundle--67dc9cfc-c8da-4c22-9a87-955b493881dd",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:31.363Z",
+ "modified": "2025-10-24T17:48:43.592Z",
"name": "Biometric Spoofing",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json b/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
index ddfc992e6a..5a1e2e9b88 100644
--- a/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d3cd22d-7f78-407c-b3bb-848ee83b8b04",
+ "id": "bundle--ee1d4b73-217a-4a1b-ae88-5bcd21bc1c0a",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.836Z",
+ "modified": "2025-10-24T17:48:43.758Z",
"name": "Boot or Logon Initialization Scripts",
"description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json b/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json
index d86006ca64..cd7b475a21 100644
--- a/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json
+++ b/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--8bd2af86-122b-4eca-b874-c4003f660508",
+ "id": "bundle--02fa54ca-a87e-403c-a863-24c684ed6cb9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-11-17T18:31:54.804Z",
- "name": "Execution Guardrails",
- "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
"created": "2022-03-30T20:31:16.624Z",
@@ -47,8 +24,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:44.210Z",
+ "name": "Execution Guardrails",
+ "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json b/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json
index 1aacfadbb6..5a6afcb4fa 100644
--- a/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json
+++ b/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json
@@ -1,36 +1,9 @@
{
"type": "bundle",
- "id": "bundle--547c7c95-8f62-4eda-b789-3fd0c152705e",
+ "id": "bundle--0fe9ab84-0892-4072-9317-09630d8a5d65",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-11-17T18:58:58.592Z",
- "name": "GUI Input Capture",
- "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "credential-access"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
"created": "2022-04-05T19:48:31.195Z",
@@ -101,8 +74,35 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:45.045Z",
+ "name": "GUI Input Capture",
+ "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "credential-access"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json b/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
index 939735aaf9..e5c0f02ebb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
+++ b/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb740bb7-d12b-4941-bf62-5d34724533c7",
+ "id": "bundle--9801be16-4a4d-49c5-96eb-1ed9db04dbd5",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:38.397Z",
+ "modified": "2025-10-24T17:48:45.330Z",
"name": "Access Contact List",
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json b/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json
index 155cd2f87b..d87c008ad2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json
+++ b/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a6490d85-fe67-44f8-bd9e-48b7b5313112",
+ "id": "bundle--eede6a79-0c27-478f-ae11-9391b9f8849b",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.029Z",
+ "modified": "2025-10-24T17:48:45.611Z",
"name": "Compromise Client Software Binary",
"description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json b/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json
index 2a55306890..29ab74a2f5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json
+++ b/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--98be12df-3041-4690-9b8a-337958c52e73",
+ "id": "bundle--587e09dd-18c9-4731-8798-48eabb3e0771",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.224Z",
+ "modified": "2025-10-24T17:48:46.514Z",
"name": "Software Packing",
"description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json b/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
index df7da58d7c..2cad6f3bde 100644
--- a/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
+++ b/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8b653007-23b7-4c60-86c6-0d72c76092f0",
+ "id": "bundle--9051b344-d45c-44c0-a3dc-4bfe25d1e04a",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:31.975Z",
+ "modified": "2025-10-24T17:48:46.777Z",
"name": "Abuse of iOS Enterprise App Signing Key",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json b/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
index cc744ac47d..75a6950c57 100644
--- a/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e4b93ea2-e2cb-47c6-aad5-58d43162b28f",
+ "id": "bundle--3e929b51-d156-48f9-95c2-df7f3cbd5520",
"spec_version": "2.0",
"objects": [
{
@@ -53,7 +53,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:38.781Z",
+ "modified": "2025-10-24T17:48:47.128Z",
"name": "Exploit SS7 to Track Device Location",
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)",
"kill_chain_phases": [
@@ -64,7 +64,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json b/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json
index 53e1ac5da5..7eabe213ce 100644
--- a/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f20493ba-b7c2-4148-961f-01eb07b552a3",
+ "id": "bundle--85243bb2-145e-49fe-b4d8-9e44b9450e6c",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.389Z",
+ "modified": "2025-10-24T17:48:47.482Z",
"name": "Native API",
"description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
"kill_chain_phases": [
@@ -44,7 +44,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json b/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json
index 0f97878cdd..bb9791a087 100644
--- a/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json
+++ b/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e1c2ae7e-210d-41cb-9c15-dec6606b8deb",
+ "id": "bundle--5cb4881a-f625-462b-9ef9-ae8ed57c0275",
"spec_version": "2.0",
"objects": [
{
@@ -54,7 +54,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.001Z",
+ "modified": "2025-10-24T17:48:47.664Z",
"name": "Deliver Malicious App via Other Means",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)",
"kill_chain_phases": [
@@ -65,7 +65,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json b/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
index e63822ae74..1e61caf370 100644
--- a/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
+++ b/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--36f50c52-0d11-4d92-900e-189d3c79f825",
+ "id": "bundle--39c15d81-9d7c-44f2-892b-9bee8868928b",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.181Z",
+ "modified": "2025-10-24T17:48:47.844Z",
"name": "Remotely Wipe Data Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json b/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json
index f0b1d4b9fc..4a85d64c99 100644
--- a/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed36c0fe-5cd1-4a15-a81c-79bcbaf04e65",
+ "id": "bundle--103c4b78-b373-4255-b180-d620f91b9142",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json b/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json
index cedeaaeded..ffd05e08bc 100644
--- a/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--626bc01d-e5aa-4d1c-b541-a1afc17a8516",
+ "id": "bundle--7df69923-4260-406e-8ea5-8fc2d2d1f560",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.548Z",
+ "modified": "2025-10-24T17:48:50.301Z",
"name": "Proxy Through Victim",
"description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json b/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json
index e25ff44990..2b23d7576c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json
+++ b/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b45b3611-a6aa-4008-bc7e-6b4793fbd572",
+ "id": "bundle--c5a3714b-d5e7-4a72-96df-44fb3855a9b9",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.358Z",
+ "modified": "2025-10-24T17:48:50.736Z",
"name": "Domain Generation Algorithms",
"description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json b/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
index 9f29f96099..4385a2af19 100644
--- a/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4af84028-d61c-4fa4-8e36-4bdbc6332e9a",
+ "id": "bundle--063f9579-0d15-4006-b4cb-17fe522f8887",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.545Z",
+ "modified": "2025-10-24T17:48:51.462Z",
"name": "Access Calendar Entries",
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json b/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
index 1f2f2ba59b..65eee6a5ac 100644
--- a/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f829fd71-7540-4195-838d-36f61bc5be6b",
+ "id": "bundle--4377d159-f871-44bb-952f-e20ae5eb6dcc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json b/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json
index 7c60509efa..78a40c55d7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--22827c75-2dcc-4329-b1cc-56d65aaba2e1",
+ "id": "bundle--94ec55fc-9717-4eba-bbfb-5e87ad23e7fe",
"spec_version": "2.0",
"objects": [
{
@@ -44,7 +44,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.743Z",
+ "modified": "2025-10-24T17:48:52.197Z",
"name": "Foreground Persistence",
"description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)",
"kill_chain_phases": [
@@ -62,7 +62,7 @@
"Lorin Wu, Trend Micro"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json b/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
index f780256622..a1271ab02d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2caa661-a90a-45ad-9dc3-aa245521c6cd",
+ "id": "bundle--1bbf421c-d068-452c-98b5-cd76c6617d06",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json b/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
index f40cce7cd1..ce6f728719 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--270fb82b-25ae-4f2e-a536-b8bd5b4e82b3",
+ "id": "bundle--1173e981-e214-476c-be9b-63882f0da038",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.937Z",
+ "modified": "2025-10-24T17:48:52.833Z",
"name": "Audio Capture",
"description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)",
"kill_chain_phases": [
@@ -60,7 +60,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json b/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json
index d9416b02b2..7d1170ea25 100644
--- a/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26defdc0-ed68-4f65-bb43-8f65195cab51",
+ "id": "bundle--37aa901b-6dcd-4f0d-be91-c124e36393db",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.121Z",
+ "modified": "2025-10-24T17:48:53.101Z",
"name": "Hijack Execution Flow",
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json b/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json
index 8c01e93b23..f3e4610cb3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json
+++ b/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2ea3465b-af85-4725-9aa5-d8310be15491",
+ "id": "bundle--d6b0bfe8-e198-4def-bb64-692e8f560db9",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.314Z",
+ "modified": "2025-10-24T17:48:54.078Z",
"name": "Unix Shell",
"description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json b/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
index 8d2be19529..23fbd1dde5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5dd72193-51c9-4e8a-b030-addc61dcd580",
+ "id": "bundle--b1185406-114f-446e-8658-e23981a585ba",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.479Z",
+ "modified": "2025-10-24T17:48:54.576Z",
"name": "Application Layer Protocol",
"description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json b/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
index 6dfed7794c..4982b2124b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b3323d7f-827c-464c-826f-9841055c1cb7",
+ "id": "bundle--6851fb47-7332-4f86-818b-6edc28e56213",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:33.241Z",
+ "modified": "2025-10-24T17:48:55.097Z",
"name": "App Delivered via Web Download",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json b/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
index a22baa1a4d..c815904702 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8ba3ad66-ae7b-44c3-adfe-f82837c20edf",
+ "id": "bundle--740a92c7-9efb-4d80-b299-68018998d984",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.660Z",
+ "modified": "2025-10-24T17:48:55.445Z",
"name": "Download New Code at Runtime",
"description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json b/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json
index 4788b5e64d..377e5f1870 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0aaebd1c-24b3-46c5-8e33-848e27a04c57",
+ "id": "bundle--ba7a4ee7-5559-4027-8d1b-d4d9c8f707be",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json b/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
index 469c05f6e5..b7fc7a7b0f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de2098e6-345f-4e9d-b0c6-21b3038c0d38",
+ "id": "bundle--26dc77ab-d92f-4f97-b1b9-eb1033a55783",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.105Z",
+ "modified": "2025-10-24T17:48:55.981Z",
"name": "Remotely Track Device Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json b/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json
index c8cd4dabc1..abd0edbbbf 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--42678bc9-e967-4f0c-b4b9-f5adfd8490c7",
+ "id": "bundle--527b3f26-287c-4219-86aa-c55629a93270",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.837Z",
+ "modified": "2025-10-24T17:48:56.336Z",
"name": "System Checks",
"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json b/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
index 524db820b7..687071905e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
+++ b/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3d3a7350-46ba-4001-b07f-ae955bd93500",
+ "id": "bundle--ee866d7c-75df-48d6-a980-b9d3d6992da0",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-11-17T18:31:54.805Z",
- "name": "Stored Application Data",
- "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "3.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"created": "2017-10-25T14:48:15.402Z",
@@ -52,8 +29,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:56.509Z",
+ "name": "Stored Application Data",
+ "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "3.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json b/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json
index 1ca2a77918..5e4a552890 100644
--- a/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4aa3e2a8-1b92-4a2d-a510-ee135404fe90",
+ "id": "bundle--f4a3b06f-774b-4fc8-828d-032bdcc8995c",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.988Z",
+ "modified": "2025-10-24T17:48:57.610Z",
"name": "Screen Capture",
"description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ",
"kill_chain_phases": [
@@ -60,7 +60,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json b/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json
index c5c6e57d16..2f4fabb5b2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fdcc9c51-12ff-4ad9-a273-54810172dbb2",
+ "id": "bundle--327e84a4-89ba-41f2-8a98-8fcd10e3b3ab",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.156Z",
+ "modified": "2025-10-24T17:48:57.794Z",
"name": "Transmitted Data Manipulation",
"description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json b/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
index 072a9afcf4..d08e0077f9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
+++ b/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b6fb890-7064-4a40-a8d9-ac9972464cf2",
+ "id": "bundle--be5b658f-62a4-4be3-b357-39dfdf3c5020",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json b/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
index 52b758142f..bddcae072a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
+++ b/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b16a5920-70df-4b41-a74c-2a6c0ee2575a",
+ "id": "bundle--bc076c81-8ec0-419e-88ab-b1ebe8e4ab3f",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.453Z",
+ "modified": "2025-10-24T17:48:58.596Z",
"name": "URI Hijacking",
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json b/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json
index 93b29d6fa7..3edbf53206 100644
--- a/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b3e3076d-b1aa-4d94-9bda-05d13415d3a3",
+ "id": "bundle--eceebf8e-9c93-423a-8020-d852615d6d92",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-11-17T13:32:52.030Z",
- "name": "Compromise Software Dependencies and Development Tools",
- "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
"created": "2022-03-28T19:31:51.978Z",
@@ -77,8 +54,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:58.857Z",
+ "name": "Compromise Software Dependencies and Development Tools",
+ "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "initial-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json b/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json
index a278f8a6cb..a52d506773 100644
--- a/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a354456d-3bb6-45d4-a891-26b40099dfb6",
+ "id": "bundle--6f0c25ee-e455-494d-a2ed-048406d3a272",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.634Z",
+ "modified": "2025-10-24T17:48:58.965Z",
"name": "Evade Analysis Environment",
"description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n",
"kill_chain_phases": [
@@ -64,7 +64,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json b/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json
index a83fcbbd94..0d9f96ec7e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28b007c1-baf5-48c0-9277-7baf4137ec3d",
+ "id": "bundle--17329219-fa21-496a-b9bb-76d484858a1a",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
{
"source_name": "Trend Micro iOS URL Hijacking",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
+ "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
},
{
"source_name": "IETF-PKCE",
@@ -39,7 +39,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.304Z",
+ "modified": "2025-10-24T17:48:59.057Z",
"name": "URI Hijacking",
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ",
"kill_chain_phases": [
@@ -48,13 +48,13 @@
"phase_name": "credential-access"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Leo Zhang, Trend Micro",
"Steven Du, Trend Micro"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json b/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json
index eaf65056a5..e288350049 100644
--- a/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json
+++ b/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2c93a62b-eb19-42ef-8ca8-363cf5f1650b",
+ "id": "bundle--754819dd-1203-47ea-bb7d-0a4254a556ac",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.458Z",
+ "modified": "2025-10-24T17:48:59.522Z",
"name": "Subvert Trust Controls",
"description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json b/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
index e239951c29..3c7bd46427 100644
--- a/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
+++ b/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4bf73163-5833-43c2-be27-ebcaf9fb8ad7",
+ "id": "bundle--a07889c4-57e7-472b-b715-883322129bc3",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.824Z",
+ "modified": "2025-10-24T17:48:59.691Z",
"name": "Access Call Log",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json b/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json
index f17a399a67..3618ded9a8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a6884553-de00-4097-9ff7-db97a8f4aeba",
+ "id": "bundle--c8b26093-b795-47fc-b48b-bf86658948fb",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:41.041Z",
+ "modified": "2025-10-24T17:49:02.464Z",
"name": "Geofencing",
"description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json b/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
index 777b4653eb..d369b29d3d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
+++ b/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e7eb4153-4b97-44e9-87c6-bd774063b36e",
+ "id": "bundle--4e217882-f2ad-4371-b7a2-aab5b2c2f9ae",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:41.218Z",
+ "modified": "2025-10-24T17:49:02.729Z",
"name": "Device Administrator Permissions",
"description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device\u2019s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json b/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
index 70e458f492..2986f2b48b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
+++ b/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e93e3d02-09f0-46a9-a14f-00ae03b0e9b6",
+ "id": "bundle--e9428c31-c268-4307-8e34-5a075e184152",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:34.865Z",
+ "modified": "2025-10-24T17:49:02.916Z",
"name": "Remotely Install Application",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json b/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json
index e758b3ceca..09527e9554 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da76e67c-85e4-4a3c-86da-1c86477388a4",
+ "id": "bundle--3eb9a8c9-18da-4543-90c7-26acd35e6392",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.670Z",
+ "modified": "2025-10-24T17:49:03.949Z",
"name": "Keychain",
"description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json b/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
index 4602d9272e..45d54b6cf8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39870a39-c71a-4e5b-82d0-5975cb6de826",
+ "id": "bundle--122b1df1-134a-4bc7-8dad-3ba2fa1b7593",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:41.585Z",
+ "modified": "2025-10-24T17:49:04.473Z",
"name": "Modify Cached Executable Code",
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json b/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
index 4bcf8cabda..598c50de2d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
+++ b/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a5b0f71-5edf-4b58-81c9-6264622ddcab",
+ "id": "bundle--73f357cc-613a-43cb-9f00-fcc63dc03da5",
"spec_version": "2.0",
"objects": [
{
@@ -11,7 +11,7 @@
"revoked": true,
"external_references": [
{
- "source_name": "mitre-mobile-attack",
+ "source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1419",
"external_id": "T1419"
},
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:35.161Z",
+ "modified": "2025-09-08T16:32:57.531Z",
"name": "Device Type Discovery",
"description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.",
"kill_chain_phases": [
@@ -33,8 +33,9 @@
"phase_name": "discovery"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json b/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json
index b1e3416f59..b48a566462 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--633bb0be-97c9-43a9-b510-9e6f2c895771",
+ "id": "bundle--d1cd03e8-56e4-4b36-9817-ff9772993f0e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json b/mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json
index c348366034..f33d5101ce 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50ddefc8-2d88-4e13-b9c0-88af58374599",
+ "id": "bundle--e4f3ec0f-7ced-4a00-b0ca-85b94179bd37",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json b/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
index a91b43752f..faffbe1814 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--37590a4c-37a7-4697-8d9a-4df456689bd7",
+ "id": "bundle--9a7d8a3c-e625-46ad-b564-a2ca0950813b",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:42.129Z",
+ "modified": "2025-10-24T17:49:05.463Z",
"name": "Delete Device Data",
"description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json b/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
index c9a8c58962..ed48d717f8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39db7a82-84cc-4025-ba7f-193d597aff27",
+ "id": "bundle--e7d125d1-0823-4e13-a101-cbfabf74d68d",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:42.305Z",
+ "modified": "2025-10-24T17:49:05.648Z",
"name": "Carrier Billing Fraud",
"description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json b/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
index e37f89c1c2..6cdf67f33b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26fafe60-9f4b-4026-8c61-71f5d77c5825",
+ "id": "bundle--df4ad9f6-c0fb-4de6-a41c-299020bad05e",
"spec_version": "2.0",
"objects": [
{
@@ -11,24 +11,19 @@
"revoked": true,
"external_references": [
{
- "source_name": "mitre-mobile-attack",
+ "source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1415",
"external_id": "T1415"
},
- {
- "source_name": "NIST Mobile Threat Catalogue",
- "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
- "external_id": "AUT-10"
- },
{
"source_name": "FireEye-Masque2",
"description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html"
},
{
- "source_name": "Dhanjani-URLScheme",
- "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
- "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
+ "source_name": "MobileIron-XARA",
+ "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
+ "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
},
{
"source_name": "IETF-PKCE",
@@ -36,15 +31,20 @@
"url": "https://tools.ietf.org/html/rfc7636"
},
{
- "source_name": "MobileIron-XARA",
- "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
- "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
+ "source_name": "Dhanjani-URLScheme",
+ "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
+ "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
+ },
+ {
+ "source_name": "NIST Mobile Threat Catalogue",
+ "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
+ "external_id": "AUT-10"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:35.896Z",
+ "modified": "2025-09-08T16:36:02.126Z",
"name": "URL Scheme Hijacking",
"description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).",
"kill_chain_phases": [
@@ -53,8 +53,9 @@
"phase_name": "credential-access"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json b/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json
index 48865fd0ed..e566468dde 100644
--- a/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json
+++ b/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cf5d48c8-1f44-48b4-9a05-31b1650a24e5",
+ "id": "bundle--88fc7e55-040d-4879-bf99-a1860b1bbfa1",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.825Z",
+ "modified": "2025-10-24T17:49:06.929Z",
"name": "Bidirectional Communication",
"description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json b/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json
index 92834a3af4..67784af455 100644
--- a/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cff0c70f-8542-4fca-9df1-805c6c683214",
+ "id": "bundle--2a4b458f-8cc4-401b-ac75-4f8be3d82bbf",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.980Z",
+ "modified": "2025-10-24T17:49:07.116Z",
"name": "Non-Standard Port",
"description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json b/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json
index 18dd096e7c..72867659b2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13efc960-2cf4-4dd0-8c87-6f01c6b05664",
+ "id": "bundle--bdbbb33d-3cfc-43b7-94e0-2555800eb4aa",
"spec_version": "2.0",
"objects": [
{
@@ -44,7 +44,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.139Z",
+ "modified": "2025-10-24T17:49:07.487Z",
"name": "Compromise Software Supply Chain",
"description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.",
"kill_chain_phases": [
@@ -55,7 +55,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json b/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json
index c85f96ed14..cd5e5ea06a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c1bc057-d256-42ed-b6af-228fc72e54aa",
+ "id": "bundle--1cb8193e-8536-4262-b613-eed92c914fda",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.296Z",
+ "modified": "2025-10-24T17:49:07.948Z",
"name": "Dead Drop Resolver",
"description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json b/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json
index 5a05b9f148..461d7f5db5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json
+++ b/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe414265-c8f3-4721-aaa0-84a0a4020060",
+ "id": "bundle--8b81b5ee-a893-42a5-9683-ed101101ac90",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.460Z",
+ "modified": "2025-10-24T17:49:08.214Z",
"name": "Location Tracking",
"description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)",
"kill_chain_phases": [
@@ -64,7 +64,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json b/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json
index 6dbab24256..db6e0f9736 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13ed3618-d3b9-4341-a876-9a31ef59271a",
+ "id": "bundle--434c8ee9-7574-4947-a6c8-4ff848316372",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.648Z",
+ "modified": "2025-10-24T17:49:08.587Z",
"name": "Device Administrator Permissions",
"description": "Adversaries may abuse Android\u2019s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device\u2019s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json b/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json
index 743208f73f..5f67ef5588 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f423ee6-c3f2-4dba-a699-c2c84c5667d3",
+ "id": "bundle--77cc58c5-31ff-4aaf-8e71-159c73459037",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:42.681Z",
+ "modified": "2025-10-24T17:49:09.025Z",
"name": "Device Lockout",
"description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
"kill_chain_phases": [
@@ -49,7 +49,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json b/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json
index f31fa9f775..70ab6adcad 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16023167-ea22-48c3-bd85-8e44b0ec0892",
+ "id": "bundle--ec2e369f-482c-496c-a137-51e02ba1f1c2",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.807Z",
+ "modified": "2025-10-24T17:49:09.660Z",
"name": "Remote Device Management Services",
"description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ",
"kill_chain_phases": [
@@ -49,7 +49,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json b/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json
index 68272c7a92..bbe181a3f0 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d2136d9-d419-4962-b3fb-06c706af0884",
+ "id": "bundle--2e6a3392-d8a5-4787-9e0f-3d56a32887cf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json b/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json
index dffe3a3f12..91469ea377 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b0caaaa0-1464-4202-b25e-7c1dc2955e67",
+ "id": "bundle--03f412e9-2af0-4f45-b1b4-ec132026fac4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760.json b/mobile-attack/attack-pattern/attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760.json
new file mode 100644
index 0000000000..687f35048f
--- /dev/null
+++ b/mobile-attack/attack-pattern/attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760.json
@@ -0,0 +1,63 @@
+{
+ "type": "bundle",
+ "id": "bundle--42eb7110-0de5-4ed0-adee-ad9bd5c19160",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "created": "2025-05-19T18:24:54.985Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1676",
+ "external_id": "T1676"
+ },
+ {
+ "source_name": "Signal_LinkedDevices_NoDate",
+ "description": "Signal. (n.d.). Linked Devices. Retrieved May 9, 2025.",
+ "url": "https://support.signal.org/hc/en-us/articles/360007320551-Linked-Devices"
+ },
+ {
+ "source_name": "WhatsApp_LinkDevice_NoDate",
+ "description": "WhatsApp. (n.d.). How to link a device. Retrieved May 9, 2025.",
+ "url": "https://faq.whatsapp.com/1317564962315842/?helpref=faq_content&cms_platform=web"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-05-19T20:03:02.656Z",
+ "name": "Linked Devices",
+ "description": "Adversaries may abuse the \u201clinked devices\u201d feature on messaging applications, such as Signal and WhatsApp, to register the user\u2019s account to an adversary-controlled device. By abusing the \u201clinked devices\u201d feature, adversaries may achieve and maintain persistence through the user\u2019s account, may collect information, such as the user\u2019s messages and contacts list, and may send future messages from the linked device.\n\nSignal is a messaging application that uses the open-source Signal Protocol to encrypt messages and calls; similarly, WhatsApp is a messaging application that has end-to-end encryption and other security measures to protect messages and calls. Both applications have a \u201clinked devices\u201d feature that allows users to access their Signal and/or WhatsApp accounts from different devices, such as a Windows or Mac desktop, an iPad or an Android tablet.(Citation: WhatsApp_LinkDevice_NoDate)(Citation: Signal_LinkedDevices_NoDate)\n\nAdversaries may use [Phishing](https://attack.mitre.org/techniques/T1660) techniques to trick the user into scanning a quick-response (QR) code, which is used to link the user\u2019s Signal and/or WhatsApp account to an adversary-controlled device. For example, adversaries may masquerade QR codes as group invites, security alerts or as legitimate instructions for pairing linked devices. \nUpon scanning the QR code in Signal, users may click on the \u201cTransfer Message History\u201d option to sync the linked devices, which may allow adversaries to collect more information about the user. Upon scanning the QR code in WhatsApp, the user\u2019s device will automatically send an end-to-end encrypted copy of recent message history to the adversary-controlled device. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Giorgi Gurgenidze, GITAC"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json b/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json
index 1cf6da13dc..6cfe3d1092 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--90a865c7-5884-4a83-a4a7-f44d8252fa7a",
+ "id": "bundle--af502c49-780c-4da4-8494-52bb72597951",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:36.937Z",
+ "modified": "2025-10-24T17:49:10.732Z",
"name": "Stolen Developer Credentials or Signing Keys",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json b/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json
index 4811bc5922..9468733492 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f14ea076-eb9d-42e1-abb5-58371fa2c324",
+ "id": "bundle--42999bed-6846-4f10-b588-0345f4699f5b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json b/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json
index 94625ccb06..ba3af06c9c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--627f253c-2877-40b3-82fa-b580657cdc75",
+ "id": "bundle--70f58c42-3e18-4a7f-a5ae-8874f5e062f0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json b/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json
index 2de2bfd10d..4767c6676f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--65c96d72-5b13-4704-9ebd-7c91396f12e0",
+ "id": "bundle--94286ad6-53a9-4872-bd14-218770990411",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.964Z",
+ "modified": "2025-10-24T17:49:11.864Z",
"name": "Input Capture",
"description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).",
"kill_chain_phases": [
@@ -44,7 +44,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json b/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json
index 3638054039..37bead20a6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8ce8178a-f96f-4a40-96d9-b35d54189f33",
+ "id": "bundle--7af639be-b17a-4ace-9670-ff4254dfd420",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.113Z",
+ "modified": "2025-10-24T17:49:12.043Z",
"name": "Generate Traffic from Victim",
"description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can review which applications can use premium SMS features in the \u201cSpecial access\u201d page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json b/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json
index b26d7479e9..7d6f496c78 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f63bcbc-d1df-44d8-ad43-418b546d6ee9",
+ "id": "bundle--51a5cfc9-0672-4122-8a1e-f1312d82ceb9",
"spec_version": "2.0",
"objects": [
{
@@ -39,7 +39,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.262Z",
+ "modified": "2025-10-24T17:49:12.130Z",
"name": "Disguise Root/Jailbreak Indicators",
"description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)",
"kill_chain_phases": [
@@ -50,7 +50,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can use attestation to detect compromised devices.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json b/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json
index 5d50039235..129fbbaeff 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--796bee96-2ac1-40a0-92da-10f9cd2c97cc",
+ "id": "bundle--f1018473-25d6-43bd-9953-2dfda1ded722",
"spec_version": "2.0",
"objects": [
{
@@ -39,7 +39,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:43.392Z",
+ "modified": "2025-10-24T17:49:12.301Z",
"name": "Masquerade as Legitimate Application",
"description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.",
"kill_chain_phases": [
@@ -57,7 +57,7 @@
"Alex Hinchliffe, Palo Alto Networks"
],
"x_mitre_deprecated": true,
- "x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json b/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json
index f6fb3b0129..9e1ce421e6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ff3cb147-c69f-4ce8-aca7-497a4e85e101",
+ "id": "bundle--6df447be-9d61-4ddc-bd09-561db0237257",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:37.543Z",
+ "modified": "2025-10-24T17:49:12.390Z",
"name": "Malicious Media Content",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json b/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json
index 4f3e0e5c2a..f721f3f1a7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a898620e-1059-4c10-894d-e926cf328f3b",
+ "id": "bundle--30a2525a-88f6-4db1-b08b-692e8d000bab",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.420Z",
+ "modified": "2025-10-24T17:49:12.650Z",
"name": "Calendar Entries",
"description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json b/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json
index 126609c842..5ba024c2f6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e9c7259-9268-430a-86b6-bff31b4f6149",
+ "id": "bundle--a8c935dd-7db7-46df-a9a1-e9deba1d7ba4",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.593Z",
+ "modified": "2025-10-24T17:49:12.849Z",
"name": "File Deletion",
"description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json b/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json
index 5d0a926d23..662696e6e9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json
+++ b/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da61bc05-65b8-4c35-8c94-731701065ba0",
+ "id": "bundle--0ed2f8b6-5095-4058-b1f1-bb2a87544e9a",
"spec_version": "2.0",
"objects": [
{
@@ -44,7 +44,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.782Z",
+ "modified": "2025-10-24T17:49:13.285Z",
"name": "Device Lockout",
"description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted \u201ccall\u201d notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device\u2019s passcode.(Citation: Android resetPassword)",
"kill_chain_phases": [
@@ -55,7 +55,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json b/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json
index 7c3820227e..6bdc74a950 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--29a80f93-9255-4faa-a3fc-d97eb2354af8",
+ "id": "bundle--2841d9b2-8c89-4327-8b93-d56ba904c3c1",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.936Z",
+ "modified": "2025-10-24T17:49:14.276Z",
"name": "Keylogging",
"description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n",
"kill_chain_phases": [
@@ -44,7 +44,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json b/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json
index cd8adf559e..471ea83721 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5a36164a-5561-459a-bee5-b2652d702dde",
+ "id": "bundle--5813505c-d6ab-44b2-b005-f28a51f5702b",
"spec_version": "2.0",
"objects": [
{
@@ -39,7 +39,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.090Z",
+ "modified": "2025-10-24T17:49:15.008Z",
"name": "SMS Control",
"description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)",
"kill_chain_phases": [
@@ -50,7 +50,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view the default SMS handler in system settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json b/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json
index 65d8a9d38a..a6054f6fb9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5a7ad241-34f4-44d5-bd2e-fcc64a4e194e",
+ "id": "bundle--2f405864-d962-48cf-b301-1e39c5c9c125",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json b/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json
index 52c99bbd5f..a6f592bc95 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--522a5ff4-308b-4b09-b1b4-730e06bef2fb",
+ "id": "bundle--7406e1eb-f294-4b01-a27c-a7a1bba347c5",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:43.920Z",
+ "modified": "2025-10-24T17:49:15.184Z",
"name": "Exfiltration Over Other Network Medium",
"description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json b/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json
index 89a74c9da6..a7b6bb8075 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--23b5f458-de63-4b77-86ef-b1c99dd3f29e",
+ "id": "bundle--4a7acc2d-f187-4a04-b626-06b823395afd",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:38.229Z",
+ "modified": "2025-10-24T17:49:16.049Z",
"name": "Detect App Analysis Environment",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json b/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json
index 8e60e2b269..325c0cfa4d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eec89367-8bda-4dbd-a53b-7c009bbb00dc",
+ "id": "bundle--270834f7-8c42-40fe-8668-751744a4a1b1",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.246Z",
+ "modified": "2025-10-24T17:49:16.232Z",
"name": "Process Injection",
"description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.",
"kill_chain_phases": [
@@ -34,7 +34,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json b/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json
index 97e90380bc..c94cf7aefc 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--569aa917-4dcd-42b5-b8be-8dc342a661eb",
+ "id": "bundle--226c7ae6-7b77-48b9-be7c-3ad159952a80",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:38.477Z",
+ "modified": "2025-10-24T17:49:17.290Z",
"name": "Malicious Software Development Tools",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json b/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json
index aa3920a796..fea8bfe1f6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json
+++ b/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--519a5365-542a-4bbb-a31c-85d83d9892b8",
+ "id": "bundle--177fd2ac-831b-40e7-b030-b9bd65acce47",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.401Z",
+ "modified": "2025-10-24T17:49:17.802Z",
"name": "Symmetric Cryptography",
"description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json b/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json
index aac27da70f..7ac9d4d3c8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json
+++ b/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a85a5b21-74c8-43da-bca4-2153e1d8e446",
+ "id": "bundle--759f5401-0014-4883-89fe-3ee42fcbc32a",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:44.489Z",
+ "modified": "2025-10-24T17:49:18.426Z",
"name": "Broadcast Receivers",
"description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json b/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json
index a55f33711b..e12516a9ed 100644
--- a/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json
+++ b/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1fa6f3c0-f960-40e3-bbc8-80b8808d9a03",
+ "id": "bundle--d258eb27-aa0b-4c16-b0ad-fd52d550d520",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json b/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json
index 48e47a2dc5..7807e5a027 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e21a6909-29e9-4474-a249-ea3b04adfce7",
+ "id": "bundle--cd4b3138-0be4-4fd4-99a4-54302ea2ef4a",
"spec_version": "2.0",
"objects": [
{
@@ -74,7 +74,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.553Z",
+ "modified": "2025-10-24T17:49:19.406Z",
"name": "Compromise Hardware Supply Chain",
"description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ",
"kill_chain_phases": [
@@ -85,7 +85,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json b/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json
index c3e9fcbd54..db1f944e4e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json
@@ -1,36 +1,9 @@
{
"type": "bundle",
- "id": "bundle--92fa5bb0-8132-4220-8829-2b8bc5ec2f6d",
+ "id": "bundle--2b07705a-00a3-47cc-9fdf-2a46bc090b40",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-09-12T15:17:00.569Z",
- "name": "Clipboard Data",
- "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device\u2019s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read \u201capplication_name has pasted from Messages\u201d when the text was pasted in a different application.(Citation: UIPPasteboard)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "credential-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could detect usage of standard clipboard APIs.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "3.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"created": "2017-10-25T14:48:19.996Z",
@@ -71,8 +44,35 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:21.369Z",
+ "name": "Clipboard Data",
+ "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device\u2019s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read \u201capplication_name has pasted from Messages\u201d when the text was pasted in a different application.(Citation: UIPPasteboard)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "credential-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "3.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json b/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json
index b2f246e7c3..548eb06c4e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--38334823-49a9-45e0-b829-29a18daf65c4",
+ "id": "bundle--cdd91da4-dd15-4688-b174-528062bb4577",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:44.671Z",
+ "modified": "2025-10-24T17:49:21.464Z",
"name": "Modify System Partition",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.",
"kill_chain_phases": [
@@ -53,7 +53,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json b/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json
index aef4c566f2..f5f2d83aea 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ba970e12-53f2-43cf-ae4c-15ca9a5ccee5",
+ "id": "bundle--cd0d8269-7045-43d1-b7e7-c3e959f0ed02",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.742Z",
+ "modified": "2025-10-24T17:49:21.564Z",
"name": "Data Manipulation",
"description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json b/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json
index 1aadba04ee..863b6d9bf2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c2feb4be-9892-4fea-94f1-7243cab3787e",
+ "id": "bundle--5c96bfad-db16-4100-a970-571e38122820",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.890Z",
+ "modified": "2025-10-24T17:49:22.003Z",
"name": "SMS Messages",
"description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json b/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json
index 5baef27e2a..53bcc99214 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--033b3a3c-0ff7-4dd5-82f7-5b58908b4338",
+ "id": "bundle--fa9c0a24-b1aa-44f9-86fc-a918f58eb6ac",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.035Z",
+ "modified": "2025-10-24T17:49:22.184Z",
"name": "Web Service",
"description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json b/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json
index 84ffee2814..444931000f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a00009e-0b10-433b-8b62-7a983bb7996e",
+ "id": "bundle--bcea71a0-a232-44cc-b854-a68bb7de08bb",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.191Z",
+ "modified": "2025-10-24T17:49:22.267Z",
"name": "System Runtime API Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json b/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json
index 28af237f26..10698fcea5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--33a9aa37-c664-43af-8fa0-0fb51745c97c",
+ "id": "bundle--6f93d3d3-48e8-434f-844c-9dd0b1b29aa1",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:39.572Z",
+ "modified": "2025-10-24T17:49:22.801Z",
"name": "Exploit Baseband Vulnerability",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json b/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json
index 3cab3ec42e..5306bbc6af 100644
--- a/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--19e3ab4f-6fae-4587-9b4d-b0ce6456ee5b",
+ "id": "bundle--42cc1fb5-3ad3-4061-bd27-b2bce2626728",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.358Z",
+ "modified": "2025-10-24T17:49:23.749Z",
"name": "Credentials from Password Store",
"description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json b/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json
index da48200be4..47323bf137 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f3bc4b54-c147-45a1-bc19-bdc1f6d7cf93",
+ "id": "bundle--43094616-f77c-401b-818c-149789ba1119",
"spec_version": "2.0",
"objects": [
{
@@ -18,7 +18,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:39.824Z",
+ "modified": "2025-10-24T17:49:24.183Z",
"name": "Hooking",
"description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.",
"kill_chain_phases": [
@@ -32,7 +32,7 @@
"J\u00f6rg Abraham, EclecticIQ"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json b/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json
index 6fe5f352d2..c87f6a2568 100644
--- a/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5681dd78-0369-4e92-abdb-59384365e449",
+ "id": "bundle--3312c3a3-8820-472d-8685-ed918f133939",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.045Z",
+ "modified": "2025-10-24T17:49:24.367Z",
"name": "Install Insecure or Malicious Configuration",
"description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).",
"kill_chain_phases": [
@@ -49,7 +49,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json b/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json
index 2272a86aa5..b160a08458 100644
--- a/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json
+++ b/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0598ec04-7b81-4ba1-8cdb-0b26a397b682",
+ "id": "bundle--46e333c2-4889-4f3d-ba26-578db203b2e2",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.729Z",
+ "modified": "2025-10-24T17:49:24.899Z",
"name": "File and Directory Discovery",
"description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users are presented with a permissions popup when an application requests access to external device storage.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json b/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json
index a278d944c5..093d15cce6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eaaab2fb-2f50-4338-a365-a87e3d70a18d",
+ "id": "bundle--35191dce-d3bf-4447-9009-ebe8414c6a64",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.894Z",
+ "modified": "2025-10-24T17:49:25.462Z",
"name": "Obfuscated Files or Information",
"description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json b/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json
index 8baf41a597..c7eec447d9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c79ef2ed-852b-4f99-affa-63a5fd98dac1",
+ "id": "bundle--b50accf5-1fd0-4c02-8329-35230732fab4",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.042Z",
+ "modified": "2025-10-24T17:49:25.635Z",
"name": "Input Injection",
"description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)",
"kill_chain_phases": [
@@ -52,7 +52,7 @@
"Luk\u00e1\u0161 \u0160tefanko, ESET"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json b/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json
index a10860b771..1d8329cc94 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5d860c8d-f97a-49c9-be24-85d5528c544a",
+ "id": "bundle--1cb6217c-5217-4ba7-b8bf-3797adda42d0",
"spec_version": "2.0",
"objects": [
{
@@ -64,7 +64,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.195Z",
+ "modified": "2025-05-19T15:21:04.030Z",
"name": "Network Denial of Service",
"description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer\u2019s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)",
"kill_chain_phases": [
@@ -75,7 +75,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -85,7 +85,7 @@
"Android",
"iOS"
],
- "x_mitre_version": "1.3",
+ "x_mitre_version": "1.4",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
diff --git a/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json b/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json
index 80d4768ca8..ad8d739334 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9cc28013-7604-4522-924a-cddc0a8b95a0",
+ "id": "bundle--70947dc8-2407-4db5-9317-cc46f8d1e7c3",
"spec_version": "2.0",
"objects": [
{
@@ -28,7 +28,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:40.355Z",
+ "modified": "2025-10-24T17:49:26.629Z",
"name": "Compromise Application Executable",
"description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)",
"kill_chain_phases": [
@@ -39,7 +39,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json b/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json
index 38658f89f1..2a964b95eb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--589b3dd1-29a5-45da-9111-3bb45b1a35c7",
+ "id": "bundle--d78a0108-80ff-433a-8abf-6e44295be51d",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.521Z",
+ "modified": "2025-10-24T17:49:26.888Z",
"name": "Event Triggered Execution",
"description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim\u2019s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json b/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json
index 8d53b612b0..3144ab37ab 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--375725e4-a006-41e5-b313-70837e23a20c",
+ "id": "bundle--0198149b-db27-4331-ab71-abe371970703",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-02-20T23:35:22.949Z",
- "name": "System Network Configuration Discovery",
- "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "2.4",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"created": "2017-10-25T14:48:32.740Z",
@@ -52,8 +29,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:26.973Z",
+ "name": "System Network Configuration Discovery",
+ "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "discovery"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "2.4",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json b/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json
index 2bf8adef1e..69e8ea784f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9b086f69-48fd-43fb-beb2-28f4faf7f080",
+ "id": "bundle--d88fe625-69b1-4e12-881e-343242af65ee",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json b/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json
index 5056156574..ff772ee587 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62c2dda5-7738-4c6d-a87f-7d8999b75479",
+ "id": "bundle--f9976c90-3e20-46b5-a9c0-dae950454665",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.716Z",
+ "modified": "2025-10-24T17:49:28.248Z",
"name": "Video Capture",
"description": "An adversary can leverage a device\u2019s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device\u2019s cameras for video recording rather than capturing the victim\u2019s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json b/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json
index fe8757ead6..8968ba69c7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50824aaa-e437-42ec-8b8e-05fb2245fa89",
+ "id": "bundle--44685d54-89f3-434c-86fe-487ec46743a4",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.869Z",
+ "modified": "2025-10-24T17:49:28.337Z",
"name": "One-Way Communication",
"description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json b/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json
index 136098def4..a60436f847 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4a87d01d-6136-47a0-97fb-641e50cb2961",
+ "id": "bundle--5125592c-b1e7-4308-935e-ec00cce14ceb",
"spec_version": "2.0",
"objects": [
{
@@ -79,7 +79,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.413Z",
+ "modified": "2025-10-24T17:49:28.427Z",
"name": "Deliver Malicious App via Authorized App Store",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)",
"kill_chain_phases": [
@@ -90,7 +90,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json b/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json
index 7d368b4627..e30db0711e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0948bb61-777f-4fa8-af4f-200004e77be2",
+ "id": "bundle--a01a3dc0-6d05-4b4b-bc80-55f3440eaa2a",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.034Z",
+ "modified": "2025-10-24T17:49:28.514Z",
"name": "Data Encrypted for Impact",
"description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json b/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json
index 27078a2c20..ae8b20b87c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3805e06a-1cd8-4348-86f4-d9b5622b1d84",
+ "id": "bundle--9c313d15-e1f7-4b1e-b3e6-947d5e13fc73",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-28T15:38:41.106Z",
- "name": "Prevent Application Removal",
- "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "x_mitre_contributors": [
- "Shankar Raman, Gen Digital and Abhinand, Amrita University"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view a list of device administrators and applications that have registered accessibility services in device settings. Users can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
"created": "2022-04-01T18:44:32.808Z",
@@ -49,8 +24,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:28.687Z",
+ "name": "Prevent Application Removal",
+ "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_contributors": [
+ "Shankar Raman, Gen Digital and Abhinand, Amrita University"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json b/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json
index 99df8ef321..7e34be87b3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b25e1d02-810a-4e47-81fe-86fc52adb781",
+ "id": "bundle--772b2431-2d7c-4dee-9604-e040159f24fa",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.189Z",
+ "modified": "2025-10-24T17:49:29.321Z",
"name": "System Network Connections Discovery",
"description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json b/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json
index b8fa1b9709..1bce718fcc 100644
--- a/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json
+++ b/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json
@@ -1,40 +1,9 @@
{
"type": "bundle",
- "id": "bundle--93f4cf33-431f-4935-81cf-e37f3c932a8b",
+ "id": "bundle--bccf22ac-731d-4fb0-ae07-8874e75b111b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-29T19:45:39.608Z",
- "name": "Phishing",
- "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing\u201d. Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \u201cvishing\u201d) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_contributors": [
- "Vijay Lalwani",
- "Will Thomas, Equinix",
- "Adam Mashinchi",
- "Sam Seabrook, Duke Energy",
- "Naveen Devaraja, bolttech",
- "Brian Donohue"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
"created": "2023-09-21T19:35:15.552Z",
@@ -55,8 +24,40 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-08-20T14:33:34.968Z",
+ "name": "Phishing",
+ "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing.\u201d Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \u201cvishing\u201d) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "initial-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_contributors": [
+ "Vijay Lalwani",
+ "Will Thomas, Equinix",
+ "Adam Mashinchi",
+ "Sam Seabrook, Duke Energy",
+ "Naveen Devaraja, bolttech",
+ "Brian Donohue",
+ "Lookout"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json b/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json
index 1dc29fd442..7bc8927306 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--171bdeb8-563e-46a6-b8e0-9feca24e012a",
+ "id": "bundle--e60dd52e-fe19-4871-a64b-1f72be044b06",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json b/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json
index 26ac5b4847..7de3005917 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--95359c71-3406-4d2b-bb34-891078974247",
+ "id": "bundle--764023ad-9705-4d01-989a-406620c5a870",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-16T16:23:05.146Z",
- "name": "Lockscreen Bypass",
- "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see if someone is watching them type in their device passcode.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.3",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"created": "2017-10-25T14:48:24.488Z",
@@ -62,8 +39,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:29.764Z",
+ "name": "Lockscreen Bypass",
+ "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "initial-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.3",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json b/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json
index 67ff4675f1..f130cb5745 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--acbb0ed5-fc40-4f63-9567-bb6577e47682",
+ "id": "bundle--a3e3b96c-ce40-461e-be8a-67a31c0586b0",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.593Z",
+ "modified": "2025-10-24T17:49:30.335Z",
"name": "Command-Line Interface",
"description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java\u2019s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json b/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json
index 2b0fc3e9a1..265a8d0348 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe631254-47b2-4ab5-83a0-94548de121e8",
+ "id": "bundle--5c79e53a-4e98-43d1-9e44-e19efeff833c",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.342Z",
+ "modified": "2025-10-24T17:49:30.430Z",
"name": "Contact List",
"description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -35,15 +35,15 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
- "iOS",
- "Android"
+ "Android",
+ "iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
diff --git a/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json b/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json
index 29cba70bd6..80b10f055a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9315a40c-d843-4c06-ac34-f1aa21651b18",
+ "id": "bundle--98a942f3-5469-4223-b1be-e5ebd49b19bf",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.505Z",
+ "modified": "2025-10-24T17:49:30.706Z",
"name": "Data from Local System",
"description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json b/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json
index 0da1369acd..cbbb7db554 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab65e09f-0428-49b2-aae7-42251d97b35b",
+ "id": "bundle--568a3b15-3eb9-438b-bcb9-d64901cbe17e",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.695Z",
+ "modified": "2025-10-24T17:49:31.052Z",
"name": "Account Access Removal",
"description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json b/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json
index edce4a901b..84b39a5edd 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fceaa166-7b07-449b-935b-aec49a247828",
+ "id": "bundle--f08a31b9-d552-4fa5-bfbf-f6aec42f26d3",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.841Z",
+ "modified": "2025-10-24T17:49:31.141Z",
"name": "System Information Discovery",
"description": "Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json b/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json
index e19f27f35f..a8481bddb9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2d9aebe-a3c7-4b95-85b2-7fd70bcc4966",
+ "id": "bundle--a5dffe8e-ee71-4542-b683-de7f732ffaa3",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:41.779Z",
+ "modified": "2025-10-24T17:49:31.232Z",
"name": "Fake Developer Accounts",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json b/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json
index 20d66723f5..c9fa787a53 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4bf98fc0-e06c-4b8a-83f1-9ff34b7c0901",
+ "id": "bundle--4de0d06d-1248-479f-bec9-567f18741148",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.935Z",
+ "modified": "2025-10-24T17:49:31.403Z",
"name": "Clipboard Modification",
"description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
"kill_chain_phases": [
@@ -60,7 +60,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json b/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json
index b1a11b36e7..559c0ef15b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--184ed780-e852-472a-b407-57243c524cbe",
+ "id": "bundle--462a4031-0ce9-4026-9a9c-c368cfddece4",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.990Z",
+ "modified": "2025-10-24T17:49:31.761Z",
"name": "Archive Collected Data",
"description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json b/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json
index cc4c48f0cd..ae64ce37b2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5a690fe0-e66e-4b90-b073-52b7b8bb751b",
+ "id": "bundle--30413fc8-4424-4d2a-9253-ad0253db5824",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.143Z",
+ "modified": "2025-10-24T17:49:31.935Z",
"name": "Geofencing",
"description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fis accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fon Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection. \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call\u202f`requestWhenInUseAuthorization()`\u202for\u202f`requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground. \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fcan be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json b/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json
index 27c481ee97..33754e13c7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2424c493-39bf-47f9-9c10-40be3e79b367",
+ "id": "bundle--3482ff32-4a0f-4ab2-8ac9-ee6ed3167bb1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json b/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json
index d06c565e69..713a94c8d8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--088a9c8c-89e8-4241-b037-9dcc9941a5a5",
+ "id": "bundle--1d4ec79f-9b15-4abd-8b97-58e12b5324e4",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:46.301Z",
+ "modified": "2025-10-24T17:49:33.068Z",
"name": "Capture SMS Messages",
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.",
"kill_chain_phases": [
@@ -34,7 +34,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json b/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json
index 2e12e5a7e4..c9c59d99cf 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0608669-428e-422c-84f5-9b59fc662574",
+ "id": "bundle--98da4ab6-dc3d-4098-97c2-93e0d439ea04",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json b/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json
index bf909bc957..ea09ced2f3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3fd0e7b1-302e-4863-b8a7-f8bdc1158f5d",
+ "id": "bundle--458e0a2d-7eec-453e-9c92-82f8e62830ec",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.297Z",
+ "modified": "2025-10-24T17:49:33.803Z",
"name": "Endpoint Denial of Service",
"description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json b/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json
index bc5cf12f66..effa9f3e3f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--389c7df0-a80b-48f0-a3c5-d0c472e44c07",
+ "id": "bundle--45ad1430-7aa6-4e9b-a6bd-3514d000327a",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.451Z",
+ "modified": "2025-10-24T17:49:34.162Z",
"name": "Out of Band Data",
"description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json b/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json
index 7cc0212c84..335a4f08b4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b050df9-0cd2-49fe-8dd3-ac0e78193ed2",
+ "id": "bundle--d1861714-a4bd-412f-be7a-4605c3f50634",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.602Z",
+ "modified": "2025-10-24T17:49:34.332Z",
"name": "Encrypted Channel",
"description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json b/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json
index 77322b7a1b..2dd03228d2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc7cbe83-e3a3-4fdb-9255-d9f7a4164efb",
+ "id": "bundle--bbcd82de-08b6-433c-9099-5c2df52decb4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json b/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json
index 1c6558fb84..fa38beea92 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--521355ec-bbd3-4240-8e5b-4827188ebdef",
+ "id": "bundle--fcb9e6ab-7079-4778-af33-f262673e5b7f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-09-12T19:47:06.884Z",
- "name": "Suppress Application Icon",
- "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications\u2019 ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application\u2019s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app\u2019s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application\u2019s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "x_mitre_contributors": [
- "Emily Ratliff, IBM"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
"created": "2022-03-30T20:06:22.194Z",
@@ -69,8 +44,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:35.410Z",
+ "name": "Suppress Application Icon",
+ "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications\u2019 ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application\u2019s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app\u2019s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application\u2019s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_contributors": [
+ "Emily Ratliff, IBM"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json b/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json
index 1201446148..4d1ab93028 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0b616ad1-385e-4309-987b-eddf592df319",
+ "id": "bundle--f7e8ce3e-c1bf-41f3-b2d2-9a515e49191d",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:46.662Z",
+ "modified": "2025-10-24T17:49:35.592Z",
"name": "Modify Trusted Execution Environment",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
"kill_chain_phases": [
@@ -49,7 +49,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json b/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json
index 2830a9ac61..6e8980b7a1 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1b6bf6b5-ca3c-4510-8bc0-2e58d3b93d71",
+ "id": "bundle--b3b2fb5a-bbc5-43e6-ad21-2870f66c7a54",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:42.990Z",
+ "modified": "2025-10-24T17:49:36.126Z",
"name": "Device Unlock Code Guessing or Brute Force",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json b/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json
index 39cb599cc2..751aeb3cda 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ff042f75-7708-4ca0-aadf-a5fd8d94dfd4",
+ "id": "bundle--074d3239-d475-4ae3-bec7-c5a63b6b8f42",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json b/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json
index 9698359da2..86464cfbd0 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a087bc25-79f4-46e3-8f72-bcb4ba6f31de",
+ "id": "bundle--7114ef3b-c619-45d5-9b4a-108e908e6e96",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.771Z",
+ "modified": "2025-10-24T17:49:38.098Z",
"name": "Masquerading",
"description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "\n",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json b/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json
index da71db3304..bb1c8a3c50 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e07416d6-a119-4ed4-96c2-3c54fb131c61",
+ "id": "bundle--5af65bd6-b98d-403e-9f80-b96b638a4877",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json b/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json
index eb4fad7f61..b83526d6cb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--15f212a2-070c-41af-8a5c-c7e966c471e8",
+ "id": "bundle--81f1ec23-78fc-4a79-9b4a-f229ec0cbd9f",
"spec_version": "2.0",
"objects": [
{
@@ -18,10 +18,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:43.339Z",
+ "modified": "2025-10-24T17:49:38.547Z",
"name": "Malicious or Vulnerable Built-in Device Functionality",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json b/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json
index a8d48859e7..9d45fe70cf 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--43767642-939b-4591-a757-c919622e4386",
+ "id": "bundle--80b7f923-7189-486e-8f0a-15885e9ba3ce",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.917Z",
+ "modified": "2025-10-24T17:49:38.813Z",
"name": "Steganography",
"description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json b/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json
index bc99727049..3c8707fb18 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eedae8ab-507d-47d1-ac59-ade202a045e4",
+ "id": "bundle--c10a173d-5311-4a0c-9b22-45ea68e6f274",
"spec_version": "2.0",
"objects": [
{
@@ -54,7 +54,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:47.575Z",
+ "modified": "2025-10-24T17:49:38.896Z",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).",
"kill_chain_phases": [
@@ -65,7 +65,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json b/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json
index cce2c18ee9..ac32784c44 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3fe3f616-bfa3-4343-8d85-a6931cdcfe17",
+ "id": "bundle--37d812ba-fc92-4a2a-a634-15600cde2600",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.084Z",
+ "modified": "2025-10-24T17:49:39.161Z",
"name": "Hide Artifacts",
"description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application\u2019s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.",
"kill_chain_phases": [
@@ -30,7 +30,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json b/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json
index 93bc0c7675..d31258c7bd 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf39faa1-333c-4dc4-8b75-b81d98f28385",
+ "id": "bundle--e3947d3c-ae6e-4039-b006-8e59d29c4605",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.231Z",
+ "modified": "2025-10-24T17:49:39.422Z",
"name": "Code Signing Policy Modification",
"description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.",
"kill_chain_phases": [
@@ -35,7 +35,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json b/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json
index 8a9f29fdce..e5d158a847 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6530786-9c61-46fa-8448-aa0d9f5e6211",
+ "id": "bundle--4d05d33e-d414-4bd3-8a52-4b833f5cf2f1",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.384Z",
+ "modified": "2025-10-24T17:49:39.530Z",
"name": "Domain Generation Algorithms",
"description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json b/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json
index 8fa5179da6..e86218c022 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1bbd09c-5cd6-483f-8f29-390cb874c397",
+ "id": "bundle--f454b8df-61aa-412d-9ee7-baee2dbfbf76",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.531Z",
+ "modified": "2025-10-24T17:49:39.614Z",
"name": "Drive-By Compromise",
"description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.",
"kill_chain_phases": [
@@ -40,7 +40,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json b/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json
index 2820dac02b..e4495a025c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--89b00a4c-96bf-4ef3-aa3f-fa8363ed279c",
+ "id": "bundle--1f837521-d17d-4438-b5c6-5ba2591e3460",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:47.756Z",
+ "modified": "2025-10-24T17:49:39.785Z",
"name": "Suppress Application Icon",
"description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)",
"kill_chain_phases": [
@@ -45,7 +45,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json b/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json
index 51062b5cf1..39766e169b 100644
--- a/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json
+++ b/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3bc172a-3329-48ee-9d00-caa4f1ca41dd",
+ "id": "bundle--119afecd-e316-4ad2-973a-e766e3d96874",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json b/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json
index 5daf4ee552..cc139d8844 100644
--- a/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json
+++ b/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d7e5af94-131c-48ba-9096-84b787de0aa4",
+ "id": "bundle--b60bf80d-c53a-4ad0-95f1-1582c84f4459",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json b/mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json
index 8305141011..758f9ad57a 100644
--- a/mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json
+++ b/mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bd69ef8b-38d0-4de5-af38-eed6adea00d5",
+ "id": "bundle--3d2b69fa-eacd-4dc1-bcba-8ee305464964",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json b/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json
index a594c7a2cb..92a5d6cbfe 100644
--- a/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json
+++ b/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--07710d76-4015-41bf-92e7-d12e23af6913",
+ "id": "bundle--5b49031c-a497-4867-a016-706e2b41e0b7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json b/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json
index 817a564cd2..4b824a3d50 100644
--- a/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json
+++ b/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bd8c3b56-92be-4c3f-9d1b-25b707c7fd7e",
+ "id": "bundle--7147c4e2-4cb9-4281-b102-b937b36ef553",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json b/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json
index 2bec87c027..213b121820 100644
--- a/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json
+++ b/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e29a9461-a34f-4d9e-a0f6-e90c1c86af07",
+ "id": "bundle--cdf8750f-6b00-4a18-899a-469ae8b9feb7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json b/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json
index 678bbc409d..eb9ab1cb88 100644
--- a/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json
+++ b/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--282aeb24-d975-4ea6-9d11-ebea73d92771",
+ "id": "bundle--1d1eb523-3823-4ab0-800d-7cecef2fe5c5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json b/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json
index 727805d6f6..f3639b03ed 100644
--- a/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json
+++ b/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da839ff4-9845-42eb-8ff7-b156211a0bb7",
+ "id": "bundle--65c8deb2-eb66-48a9-b3b6-b9b32d322594",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json b/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json
index bd4559a4af..15f8d1dca2 100644
--- a/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json
+++ b/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e5059f87-c127-4d7f-a608-df0682faa7d9",
+ "id": "bundle--e60e2e85-2b2a-4210-b52d-ba73c1ac671c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json b/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json
index 978893fe33..503b62cdfc 100644
--- a/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json
+++ b/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f1cc1f15-24e7-41b6-955b-eeb99f6d6d54",
+ "id": "bundle--c12c8252-f0cd-454a-81c3-4519aeb7e1e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json b/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json
index 13e92bcfc7..a6feabd432 100644
--- a/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json
+++ b/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c252bb6-052f-4615-b1ce-3acc9eeacb7c",
+ "id": "bundle--10e9c2d2-4803-462c-a478-2842433581c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json b/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json
index fe11c7ca8e..8979f8a726 100644
--- a/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json
+++ b/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9421b9a4-dca9-441d-a287-c5c0eaee892f",
+ "id": "bundle--f0cc4b1b-0511-4bbf-86fe-768eb531ec57",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json b/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json
index d6eef32ee9..e561fae1df 100644
--- a/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json
+++ b/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--52445dbc-b7d5-4cb6-a4cb-86f45d48e8f1",
+ "id": "bundle--0afc8773-612b-49af-ae9d-1c1cb6682fd6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json b/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json
index f6918f25a3..778c25fa7d 100644
--- a/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json
+++ b/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5c39ef24-44d4-4a81-b238-5bfd079c5c0d",
+ "id": "bundle--8a20f719-30d1-43f8-9deb-1c4762d4820d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json b/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json
index 5a4f60c73e..cc5480a835 100644
--- a/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json
+++ b/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--25d8677c-d159-4db8-ad92-a5365cc1fbf9",
+ "id": "bundle--00d42b04-c4b3-4e77-bd64-c93994458e25",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json b/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json
index 244c0fc877..830231cb8e 100644
--- a/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json
+++ b/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e35ed1b5-034a-4f7c-9b6a-f599e495ce4e",
+ "id": "bundle--367804a9-27fd-4bce-9109-a7a664a2e516",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json b/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json
index fe91a0ef89..e3dc7a8527 100644
--- a/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json
+++ b/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4f1c2c1b-cfaa-4945-800d-bbcd3c5a738d",
+ "id": "bundle--aedac640-7c28-41b4-8e1a-5a1ed95fd669",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json b/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json
index 0bdb51cf75..782e036663 100644
--- a/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json
+++ b/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f54afa83-fa30-4d4e-b5a1-f0c4ea364b09",
+ "id": "bundle--ca8e9ff6-d9da-46c6-842a-135d5dadc1ef",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
index cdb0972442..9a264efd3a 100644
--- a/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
+++ b/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--96daeb21-76d8-40a7-b8d5-1f44d8abb80e",
+ "id": "bundle--e824de4a-425b-4bfa-8418-c111a5471674",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json b/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json
index fa62a34f0e..a228ecd89e 100644
--- a/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json
+++ b/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4c3d8168-1129-4324-a6a8-50ea871d0f7e",
+ "id": "bundle--7121035a-c221-4485-b4f1-ed99aa6df77a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json b/mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json
index b17be04f55..0848063b92 100644
--- a/mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json
+++ b/mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0c7ba087-85ee-43b3-9015-c50844e829f7",
+ "id": "bundle--732da7e4-c55b-479b-b586-259ad6efd811",
"spec_version": "2.0",
"objects": [
{
@@ -65,7 +65,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-22T21:56:33.318Z",
+ "modified": "2025-06-11T20:13:29.024Z",
"name": "APT41",
"description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n",
"aliases": [
@@ -76,7 +76,7 @@
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "4.1",
+ "x_mitre_version": "4.2",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Kyaw Pyiyt Htet, @KyawPyiytHtet",
diff --git a/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json b/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json
index c7b079a018..2e7cfee583 100644
--- a/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json
+++ b/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f577a925-6259-49bd-bc03-ea2226a7d8a3",
+ "id": "bundle--3287785a-dbf6-4d93-a706-e5375dfd6e13",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2.json b/mobile-attack/intrusion-set/intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2.json
new file mode 100644
index 0000000000..6b3f3228a0
--- /dev/null
+++ b/mobile-attack/intrusion-set/intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2.json
@@ -0,0 +1,147 @@
+{
+ "type": "bundle",
+ "id": "bundle--0b288a4e-9627-4254-a2e4-965fc3f9184f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "intrusion-set",
+ "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "created": "2018-04-18T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0069",
+ "external_id": "G0069"
+ },
+ {
+ "source_name": "MERCURY",
+ "description": "(Citation: Anomali Static Kitten February 2021)"
+ },
+ {
+ "source_name": "Static Kitten",
+ "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+ },
+ {
+ "source_name": "TEMP.Zagros",
+ "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+ },
+ {
+ "source_name": "Mango Sandstorm",
+ "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+ },
+ {
+ "source_name": "TA450",
+ "description": "(Citation: Proofpoint TA450 Phishing March 2024)"
+ },
+ {
+ "source_name": "Seedworm",
+ "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+ },
+ {
+ "source_name": "Earth Vetala",
+ "description": "(Citation: Trend Micro Muddy Water March 2021)"
+ },
+ {
+ "source_name": "MuddyWater",
+ "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)"
+ },
+ {
+ "source_name": "ClearSky MuddyWater Nov 2018",
+ "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
+ },
+ {
+ "source_name": "ClearSky MuddyWater June 2019",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf"
+ },
+ {
+ "source_name": "CYBERCOM Iranian Intel Cyber January 2022",
+ "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.",
+ "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
+ },
+ {
+ "source_name": "DHS CISA AA22-055A MuddyWater February 2022",
+ "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.",
+ "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a"
+ },
+ {
+ "source_name": "Unit 42 MuddyWater Nov 2017",
+ "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ },
+ {
+ "source_name": "Talos MuddyWater Jan 2022",
+ "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.",
+ "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html"
+ },
+ {
+ "source_name": "Anomali Static Kitten February 2021",
+ "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.",
+ "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies"
+ },
+ {
+ "source_name": "Microsoft Threat Actor Naming July 2023",
+ "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+ "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+ },
+ {
+ "source_name": "Proofpoint TA450 Phishing March 2024",
+ "description": "Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.",
+ "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign"
+ },
+ {
+ "source_name": "Trend Micro Muddy Water March 2021",
+ "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.",
+ "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
+ },
+ {
+ "source_name": "Reaqta MuddyWater November 2017",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/"
+ },
+ {
+ "source_name": "FireEye MuddyWater Mar 2018",
+ "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+ },
+ {
+ "source_name": "Symantec MuddyWater Dec 2018",
+ "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
+ "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T19:08:44.552Z",
+ "name": "MuddyWater",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)",
+ "aliases": [
+ "MuddyWater",
+ "Earth Vetala",
+ "MERCURY",
+ "Static Kitten",
+ "Seedworm",
+ "TEMP.Zagros",
+ "Mango Sandstorm",
+ "TA450"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "6.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Ozer Sarilar, @ozersarilar, STM",
+ "Daniyal Naeem, BT Security",
+ "Marco Pedrinazzi, @pedrinazziM"
+ ],
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "mobile-attack"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
index d003cabadc..4f12d5ee14 100644
--- a/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
+++ b/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9857e731-408e-4dca-8e72-bbfcd24fc462",
+ "id": "bundle--2ccb4d51-2c11-4088-b7c8-1ee536684674",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json b/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json
index 8f1a59aa1f..930ed283cb 100644
--- a/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json
+++ b/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--4990eb3f-cdb3-4901-b541-7956fb9838cd",
+ "id": "bundle--7a02bea9-f33a-4ad3-b19b-6b15e33fa7d0",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-04T21:24:48.602Z",
- "name": "Scattered Spider",
- "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)",
- "aliases": [
- "Scattered Spider",
- "Roasted 0ktapus",
- "Octo Tempest",
- "Storm-0875"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_version": "2.0",
"type": "intrusion-set",
"id": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
"created": "2023-07-05T17:54:54.789Z",
@@ -30,6 +19,10 @@
"source_name": "Roasted 0ktapus",
"description": "(Citation: CrowdStrike Scattered Spider BYOVD January 2023)"
},
+ {
+ "source_name": "UNC3944",
+ "description": "(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)"
+ },
{
"source_name": "Octo Tempest",
"description": "(Citation: Microsoft Threat Actor Naming July 2023)"
@@ -53,6 +46,16 @@
"description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.",
"url": "https://www.crowdstrike.com/adversaries/scattered-spider/"
},
+ {
+ "source_name": "Mandiant VMware vSphere JUL 2025",
+ "description": "Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944"
+ },
+ {
+ "source_name": "Mandiant UNC3944 May 2025",
+ "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations"
+ },
{
"source_name": "Microsoft Threat Actor Naming July 2023",
"description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
@@ -72,12 +75,24 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T02:30:51.936Z",
+ "name": "Scattered Spider",
+ "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)",
+ "aliases": [
+ "Scattered Spider",
+ "Roasted 0ktapus",
+ "Octo Tempest",
+ "Storm-0875",
+ "UNC3944"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "3.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json b/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json
index ccc645530f..919e1daffc 100644
--- a/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json
+++ b/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c608aae1-024d-41a3-b69b-a58fe0a114fe",
+ "id": "bundle--ff9bfc3f-6195-457f-a85b-63dd4740860e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json b/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json
index a9e3ae6d37..51b926d4fe 100644
--- a/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json
+++ b/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--184230f2-7be6-4fa6-a200-9652d80575d8",
+ "id": "bundle--53dd4006-67fd-44bd-b319-d06145ea9d80",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json b/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json
index fd16ec72d1..7f542309a9 100644
--- a/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json
+++ b/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f03e09c4-8832-409c-98f3-9a4c5133f0b2",
+ "id": "bundle--9dcdb80b-c449-41de-8c98-4218beb60edd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json b/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json
index 13cf2cb04b..d7aa2dcab6 100644
--- a/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json
+++ b/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--00ba15c6-ec51-4c9b-850c-1cd6ec68633d",
+ "id": "bundle--d008c995-a21f-4147-835d-c66e08fb3b10",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json b/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json
index c8cd1c4fd3..5ed0b570e0 100644
--- a/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json
+++ b/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9b3a6ef8-dc67-44d7-a8c1-080fd2770945",
+ "id": "bundle--2186dd1a-9ac5-40ba-aba2-cbb25b6d3db8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410.json b/mobile-attack/intrusion-set/intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410.json
new file mode 100644
index 0000000000..acfa2d5b9e
--- /dev/null
+++ b/mobile-attack/intrusion-set/intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410.json
@@ -0,0 +1,81 @@
+{
+ "type": "bundle",
+ "id": "bundle--4fc70041-bdb6-4e17-8f69-6993632257f7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "intrusion-set",
+ "id": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410",
+ "created": "2024-06-14T18:17:18.727Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G1033",
+ "external_id": "G1033"
+ },
+ {
+ "source_name": "Callisto Group",
+ "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+ },
+ {
+ "source_name": "TA446",
+ "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+ },
+ {
+ "source_name": "COLDRIVER",
+ "description": "(Citation: Google TAG COLDRIVER January 2024)"
+ },
+ {
+ "source_name": "SEABORGIUM",
+ "description": "(Citation: Microsoft Star Blizzard August 2022)"
+ },
+ {
+ "source_name": "CISA Star Blizzard Advisory December 2023",
+ "description": "CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.",
+ "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a"
+ },
+ {
+ "source_name": "Microsoft Star Blizzard August 2022",
+ "description": "Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM\u2019s ongoing phishing operations. Retrieved June 13, 2024.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/"
+ },
+ {
+ "source_name": "StarBlizzard",
+ "description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"
+ },
+ {
+ "source_name": "Google TAG COLDRIVER January 2024",
+ "description": "Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.",
+ "url": "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T22:12:56.172Z",
+ "name": "Star Blizzard",
+ "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)\n",
+ "aliases": [
+ "Star Blizzard",
+ "SEABORGIUM",
+ "Callisto Group",
+ "TA446",
+ "COLDRIVER"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Aung Kyaw Min Naing, @Nolan"
+ ],
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "mobile-attack"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json b/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json
index 0c8d2a99ea..78fe7a3b49 100644
--- a/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json
+++ b/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--119d56f9-ac22-4d84-a70d-6cdcc7dfee59",
+ "id": "bundle--2218a942-02f9-4a20-b199-b2af763ecde6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json b/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json
index 977338b10c..c567112f36 100644
--- a/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json
+++ b/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de4a339d-9b6b-4dad-86c7-b73fc10fa057",
+ "id": "bundle--6d394758-026b-416d-be9c-359a2872ca3d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json b/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json
index 8e5acfb8e5..80491fa10a 100644
--- a/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json
+++ b/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--9677ed9a-7858-45cb-b197-dc861414a46e",
+ "id": "bundle--c46b4ff3-8056-4539-a223-6ec82c73f064",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-09-16T16:18:00.876Z",
- "name": "Earth Lusca",
- "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)",
- "aliases": [
- "Earth Lusca",
- "TAG-22",
- "Charcoal Typhoon",
- "CHROMIUM",
- "ControlX"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_version": "2.0",
"type": "intrusion-set",
"id": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034",
"created": "2022-07-01T20:12:30.184Z",
@@ -67,12 +55,24 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-06-06T14:55:18.144Z",
+ "name": "Earth Lusca",
+ "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)",
+ "aliases": [
+ "Earth Lusca",
+ "TAG-22",
+ "Charcoal Typhoon",
+ "CHROMIUM",
+ "ControlX"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "2.1",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json b/mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json
index a5e84d1b86..91b75c9065 100644
--- a/mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json
+++ b/mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d097758b-48a6-4929-a506-af078a69ac59",
+ "id": "bundle--958efba2-2c03-4d71-ba5e-55279385c9b0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json b/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json
index 5336fb89f3..cbf8eaa2e2 100644
--- a/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json
+++ b/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--af0b9745-0e19-41c6-b5eb-26bf2886764a",
+ "id": "bundle--b70d14c1-ebcb-4cb1-bcbe-f2163c7582df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json b/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json
index 4283b08640..57dbc17ab5 100644
--- a/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json
+++ b/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6c995b2-7e56-4be9-877c-7be6cfc9a3bb",
+ "id": "bundle--e1b4508b-6737-496d-bc99-50f1285bb5c8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json b/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json
index ba830554e8..10ee3dbfa3 100644
--- a/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json
+++ b/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--029f47a5-a40c-4d81-a03e-0a550bacbf0c",
+ "id": "bundle--fe245040-3df9-4885-8f31-6a30a8ad3dae",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json b/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json
index 503d9a2cdf..190c2cf3b3 100644
--- a/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json
+++ b/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d1bf1fa-3d2f-4a59-b4d1-53e6e26d3ec6",
+ "id": "bundle--96f58af4-2c6a-41cd-9cdc-11d2bb85eee2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json b/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json
index 6c852f12b6..609876c6fa 100644
--- a/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json
+++ b/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--01b30d7e-51cd-45a4-b5c0-58f1fcc0e219",
+ "id": "bundle--149c82fb-1c41-40ab-a4e4-62538c780373",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json b/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json
index 20c46e1d89..98c9d030b0 100644
--- a/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json
+++ b/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--76bcf313-903c-439e-a46f-5e3053c8d137",
+ "id": "bundle--19e0c72f-4c81-4b63-abc6-0f4ec1998abe",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json b/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json
index 5f375d66a2..9880d6ce92 100644
--- a/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json
+++ b/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--176cb065-22cf-48c7-9819-15d6ba5f5727",
+ "id": "bundle--2c1a07a5-102f-427d-bb75-c637c165c3f5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json b/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json
index 67bc93a67b..1be974dc77 100644
--- a/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json
+++ b/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b11e586-2f32-44d8-a0b8-54d4d8e11a12",
+ "id": "bundle--aab6bc0e-6aa2-4b23-962b-4918af059431",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json b/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json
index 0c9801d421..df8e48cfd3 100644
--- a/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json
+++ b/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e69d4721-23d4-424e-87de-e2991dcb78e5",
+ "id": "bundle--097a2a71-7e35-4f77-b683-89eb37d9079e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json b/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json
index 13a3567315..3906525151 100644
--- a/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json
+++ b/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de142922-e5f2-49df-8a6a-3aa49a396d60",
+ "id": "bundle--cb1793d4-b964-40d1-8a71-a713898d8b3e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json b/mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json
index e5c3c6c583..9fad39f65c 100644
--- a/mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json
+++ b/mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f10df808-189f-448e-b566-271d3f1d0ef9",
+ "id": "bundle--b14d5186-4d3a-4ab7-8676-63b10d544f6e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json b/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json
index 4dd8352d02..28ea38e6f4 100644
--- a/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json
+++ b/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7fa0a97f-a1dc-4228-9cbe-9c0225e35cea",
+ "id": "bundle--6e64531c-c677-4022-91af-87a9f2760dea",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json b/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json
index 38c65e4f3d..a84130499c 100644
--- a/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json
+++ b/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--205aa7f1-36a5-49f6-999c-47af2a319a56",
+ "id": "bundle--b4635e96-a771-4dfe-a776-f18e3d78c866",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json b/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json
index c908641565..88d417adc1 100644
--- a/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json
+++ b/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--80494c95-4e05-4220-b781-bac7a38dc0e4",
+ "id": "bundle--babbf478-e794-4aae-8e07-635ab5f667d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json b/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json
index 242ff19dc0..c158994522 100644
--- a/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json
+++ b/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--194628ab-dbe5-4c03-bd64-4a42a9e6d321",
+ "id": "bundle--7ec683b1-511c-4d81-a601-73c3bffc79be",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json b/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json
index a550eed346..3e4b71b390 100644
--- a/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json
+++ b/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--018785d0-76d3-4cca-a893-eece24e25b0a",
+ "id": "bundle--113eb762-1453-4360-9f1d-a0a592e9acae",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json b/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json
index da72d12499..473aa26f1e 100644
--- a/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json
+++ b/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5ec964e8-00a2-4120-8698-811da021def1",
+ "id": "bundle--0c75842c-5fef-4351-94a9-28499cde5cd8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json b/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json
index bd744e1693..300658e644 100644
--- a/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json
+++ b/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6de806e7-d6a1-4ba9-877c-f4b78e319f80",
+ "id": "bundle--e0dd0dcd-f86c-487d-89e8-c1b8b7c46561",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json b/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json
index aa72bd4836..572757b27c 100644
--- a/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json
+++ b/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d624e3e3-dfaf-4503-b5fe-8b093da093a4",
+ "id": "bundle--65544fc5-6938-49aa-b3af-a4eff43f9321",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json b/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json
index 5a5d73732e..fb25b7c0a1 100644
--- a/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json
+++ b/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--258c7448-52f4-4574-a5af-5fe18bd8cb17",
+ "id": "bundle--4c727579-df6a-45e5-809c-b5d8c1eb4289",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json b/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json
index cf9643483a..d6b2ccb712 100644
--- a/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json
+++ b/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d82db3a7-14ba-4875-b2c4-b14c0bc087c6",
+ "id": "bundle--d742ea48-b926-4d52-a08e-3f2f892a11e0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json b/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json
index a2956201bf..3596995927 100644
--- a/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json
+++ b/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--42ca8c12-4fe6-4f33-8fcb-cffe01dece6d",
+ "id": "bundle--d6678035-79bd-42fe-a984-c135389c8da8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json b/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json
index 5e50362210..20f2273075 100644
--- a/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json
+++ b/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fd86fc70-e77f-4e4b-b4cf-701c7efbbd94",
+ "id": "bundle--2796f927-8b05-4aed-81da-742f9f241141",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json b/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json
index 006e92ed36..d00f53a241 100644
--- a/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json
+++ b/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b53ba357-69b4-4b9c-a8a2-44a0dd20fb20",
+ "id": "bundle--6bcc0a00-d243-4bcc-8b9a-39b263c96386",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json b/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json
index cd52aa2155..27306368f7 100644
--- a/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json
+++ b/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b74c8d3e-b10e-416f-97e0-209ae13dd56d",
+ "id": "bundle--08112445-a9da-4908-97e1-458f143a86cf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json b/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json
index 225290d0b8..59169b82c6 100644
--- a/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json
+++ b/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3a9a745d-44b4-4b76-9e4f-a579c559030e",
+ "id": "bundle--eadefe7e-8668-41ff-92e0-631743b7cdd5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json b/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json
index 44bc5e58dd..ac236f3cc3 100644
--- a/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json
+++ b/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--602cbbf3-1991-47af-957c-44006c2ad0c5",
+ "id": "bundle--905f38ad-49b6-4e6a-acc7-6d7ec6d65708",
"spec_version": "2.0",
"objects": [
{
@@ -19,14 +19,19 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:06.355Z",
+ "modified": "2025-10-24T03:53:35.020Z",
"name": "Chameleon",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of [Chameleon](https://attack.mitre.org/software/S1083) has expanded its targets to include Android users in the United Kingdom and Italy.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
@@ -35,12 +40,13 @@
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
- "Yasuhito Kawanishi, NEC Corporation",
+ "Liran Ravich, CardinalOps",
"Manikantan Srinivasan, NEC Corporation India",
- "Pooja Natarajan, NEC Corporation India"
+ "Pooja Natarajan, NEC Corporation India",
+ "Yasuhito Kawanishi, NEC Corporation"
],
"x_mitre_aliases": [
"Chameleon"
diff --git a/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json b/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json
index 46acb651d2..dcfc35b687 100644
--- a/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json
+++ b/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ded2d692-eb0e-4fe7-99bf-3a98b66348fd",
+ "id": "bundle--2c92b0d6-6bb6-46bd-89af-42f53812325f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json b/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json
index 3919a74769..feec01a197 100644
--- a/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json
+++ b/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3fde5c9e-9c67-475d-9d50-ab6500afeb07",
+ "id": "bundle--41d5f42a-a8c1-4d58-9e55-71dcfd5bb994",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json b/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json
index 6800c007d1..d7f5fc54b9 100644
--- a/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json
+++ b/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d045361a-c001-4a33-9b0b-63ba9cbe7db0",
+ "id": "bundle--c28f7b92-31b4-4efe-afa2-30d5b971cf56",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json b/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json
index c1c33192d3..3968316d41 100644
--- a/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json
+++ b/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9dd44469-4537-400a-b828-164c668ef0d1",
+ "id": "bundle--de97ec3d-f44f-4dcb-bc71-afac5a705c48",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json b/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json
index dbf29f2c49..b232c4d233 100644
--- a/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json
+++ b/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1e553544-7ccf-4db3-a5a5-1f11a96af792",
+ "id": "bundle--56f7e21f-dd12-4da2-9695-ad7c182f25a8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json b/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json
index 49baac007d..c09c5d16a8 100644
--- a/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json
+++ b/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9a3497c7-4000-4079-b15b-3acd3cbb9108",
+ "id": "bundle--02c2e782-d1f4-475f-9419-824c1c2344bb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json b/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json
index 117e1a2d18..7f84548a9e 100644
--- a/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json
+++ b/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62407ee8-77a0-4243-bd7c-3ee0e5fb5a61",
+ "id": "bundle--bbfccabc-6a58-49e3-b1d8-376966a8852d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json b/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json
index 89c13c5975..e62c419492 100644
--- a/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json
+++ b/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9b40f3b0-179c-4833-8265-4b66b0ae74ce",
+ "id": "bundle--475b7646-b87d-4743-947b-80ca77d9c71e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json b/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json
index cdd06f79fb..4a83599cf0 100644
--- a/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json
+++ b/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2454581f-e327-4290-8ed6-5b545963dfe6",
+ "id": "bundle--41bd16c8-8724-4196-a13c-6314093cfdf8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json b/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json
index 3d88981de7..e7077f94bd 100644
--- a/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json
+++ b/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f0f7d5e8-f16f-4a32-83e7-700e12f62499",
+ "id": "bundle--1952474f-03f7-4c98-b93c-de69859974f5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json b/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json
index 84b5681d9a..ac7d2e8720 100644
--- a/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json
+++ b/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e0eba56-7327-48ee-88f2-75c0f7fcb5ee",
+ "id": "bundle--8dff8b04-ac7a-4425-9012-77a97a681e26",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--3cf81957-489a-469f-b013-362d548a96c1.json b/mobile-attack/malware/malware--3cf81957-489a-469f-b013-362d548a96c1.json
new file mode 100644
index 0000000000..6c1d25fd2e
--- /dev/null
+++ b/mobile-attack/malware/malware--3cf81957-489a-469f-b013-362d548a96c1.json
@@ -0,0 +1,51 @@
+{
+ "type": "bundle",
+ "id": "bundle--a14a10b0-1967-4891-8542-65d467f04d9e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "malware",
+ "id": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "created": "2025-06-25T15:32:53.278Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1225",
+ "external_id": "S1225"
+ },
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-23T20:45:51.613Z",
+ "name": "CherryBlos",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. [CherryBlos](https://attack.mitre.org/software/S1225) was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind [CherryBlos](https://attack.mitre.org/software/S1225) uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Liran Ravich, CardinalOps"
+ ],
+ "x_mitre_aliases": [
+ "CherryBlos"
+ ],
+ "labels": [
+ "malware"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json b/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json
index f7ca7af883..67cfa88dd5 100644
--- a/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json
+++ b/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d4fc53db-402f-4b42-81e0-2daa19a600c3",
+ "id": "bundle--353952bd-e10b-46ae-b941-22b1351995d9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json b/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json
index 3eddc97b81..0917e36500 100644
--- a/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json
+++ b/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--23192494-df04-4e54-94c1-106d01cb192d",
+ "id": "bundle--cb9e9120-916a-4b96-a832-b1578f92c98a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json b/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json
index 10b0ba0132..031e4876fc 100644
--- a/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json
+++ b/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8225914c-3be1-4da8-86b2-058a6661ccbe",
+ "id": "bundle--99faa7ba-efe5-42cd-8755-b5eb88cfef5d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json b/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json
index 7462e3b32e..009d2191f6 100644
--- a/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json
+++ b/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ea4f6a24-6b36-477e-b4f9-0ae3cc2cfb09",
+ "id": "bundle--bb8dd776-b190-4ccb-a619-a3ac13a0d361",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json b/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json
index 0bc6ad8214..bdf2e51643 100644
--- a/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json
+++ b/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ba78df88-7482-460b-8106-67ce1e8f4c2a",
+ "id": "bundle--d2dce2eb-2c34-4863-8eaa-6f0f839b8789",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json b/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json
index bae9dfcabf..9ae86916ef 100644
--- a/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json
+++ b/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c52f2c79-1509-4341-8c76-8d4b0b781d78",
+ "id": "bundle--d3a9588a-6e3c-47a3-b280-2cc26f124f63",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json b/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json
index fe99090980..3f57893670 100644
--- a/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json
+++ b/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--078173db-8581-4ed5-864b-7ece35d79af4",
+ "id": "bundle--dd008aec-7c31-43d7-9466-c0d5cd97957c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json b/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json
index 1524ca1e5a..f340eb2b48 100644
--- a/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json
+++ b/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5cecc078-7cc4-42ea-87ac-74a10836f91a",
+ "id": "bundle--4fba975a-e7e8-4997-ae32-506d1f460416",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json b/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json
index 53e1926d19..fee2543f29 100644
--- a/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json
+++ b/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--44ffbd63-e16e-4ef4-88af-7de254ec1d41",
+ "id": "bundle--c9012e16-d47c-4ab9-879b-fe36c151dc09",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json b/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json
index bb302578ef..3f15cc795d 100644
--- a/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json
+++ b/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1390f78f-a885-42ce-96e3-841cac60590c",
+ "id": "bundle--09c6715a-9b48-44de-8018-c333e198050b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json b/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json
index f49bac149c..2d194c9d35 100644
--- a/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json
+++ b/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5867293e-afd8-4b3a-b3b9-ce061956453c",
+ "id": "bundle--f8fb42eb-5878-43f3-a5f1-b5799676e289",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json b/mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json
index fd34a73a3a..47b1f11be7 100644
--- a/mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json
+++ b/mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2435c37e-a048-4aff-88b2-bdbcdaedafae",
+ "id": "bundle--e6374ec6-1f9d-4c3c-bddd-3b15aae143b2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json b/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json
index 029e066b3b..4f57f0c8b5 100644
--- a/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json
+++ b/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--78e3b96e-0e7b-4648-b76c-dfc21ca91398",
+ "id": "bundle--0d66e6f3-c523-46c6-847d-ade4aa82c7ff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json b/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json
index f5f6924753..c337f8f3d5 100644
--- a/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json
+++ b/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a2b5eb88-17c3-4558-b9cf-36c137925601",
+ "id": "bundle--b74ce2d4-d5ef-4b77-ae04-4d21d0a39287",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json b/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json
index 5f72eccf3d..bcf8db3045 100644
--- a/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json
+++ b/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e99ae21c-5916-4960-9ec2-469910e7f137",
+ "id": "bundle--206ad1ee-1190-4e63-b5e7-241423e8d2ae",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json b/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json
index 4fa79cce75..71947a7b41 100644
--- a/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json
+++ b/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bef74844-5420-4513-9d83-2aee182baf50",
+ "id": "bundle--b90e2a78-c852-4a00-8e7c-6b71cc6665c1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json b/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json
index a3fb480a46..7a07412da7 100644
--- a/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json
+++ b/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--92300d65-d2a3-4dae-9ef9-6948eb116ad4",
+ "id": "bundle--39c5700a-7972-4365-82f2-3e6726f8be11",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json b/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json
index 32be2f30e8..774217fa98 100644
--- a/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json
+++ b/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--560ff962-f83e-489d-a0fb-cde2f317f2b5",
+ "id": "bundle--0cb92ffd-e949-4da0-9fff-c2ae911775cf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b.json b/mobile-attack/malware/malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b.json
new file mode 100644
index 0000000000..42c7e73d96
--- /dev/null
+++ b/mobile-attack/malware/malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b.json
@@ -0,0 +1,51 @@
+{
+ "type": "bundle",
+ "id": "bundle--8f495545-9107-41c2-92ca-7fa69b6ed1c3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "malware",
+ "id": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "created": "2025-09-18T14:36:13.709Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1241",
+ "external_id": "S1241"
+ },
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T03:26:04.908Z",
+ "name": "RatMilad",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of [RatMilad](https://attack.mitre.org/software/S1241) have been disguised as VPN applications and a fake app named NumRent. Upon installation, [RatMilad](https://attack.mitre.org/software/S1241) employs multiple [Collection](https://attack.mitre.org/tactics/TA0035) techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. (Citation: ZimperiumGupta_RatMilad_Oct2022)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Google's Android Security team"
+ ],
+ "x_mitre_aliases": [
+ "RatMilad"
+ ],
+ "labels": [
+ "malware"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d.json b/mobile-attack/malware/malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d.json
new file mode 100644
index 0000000000..1244b883ac
--- /dev/null
+++ b/mobile-attack/malware/malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d.json
@@ -0,0 +1,51 @@
+{
+ "type": "bundle",
+ "id": "bundle--d8f617df-03bf-4989-bb2a-c0540a78675e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "malware",
+ "id": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "created": "2025-10-08T14:33:07.304Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1243",
+ "external_id": "S1243"
+ },
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T03:50:18.603Z",
+ "name": "DCHSpy",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) is an Android spyware likely used by [MuddyWater](https://attack.mitre.org/groups/G0069). [DCHSpy](https://attack.mitre.org/software/S1243) uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, [DCHSpy](https://attack.mitre.org/software/S1243) collects information from the device and exfiltrates the data to the command and control (C2) server.(Citation: Lookout_DCHSpy_July2025) ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Kaung Khant Ko"
+ ],
+ "x_mitre_aliases": [
+ "DCHSpy"
+ ],
+ "labels": [
+ "malware"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json b/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json
index 89a7a8750a..5a6614f615 100644
--- a/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json
+++ b/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6bf1bcef-be94-4334-948f-ac111cd785df",
+ "id": "bundle--90edfd3b-6cc6-425d-ae52-e9a7f1448f35",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json b/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json
index a5e8293c87..30b06e0908 100644
--- a/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json
+++ b/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--510fc62f-cf94-4298-8430-f9d1a4f0b3ed",
+ "id": "bundle--a9f97276-a4f2-4591-b563-837b60458c95",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json b/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json
index 023f736bce..07f6ecf097 100644
--- a/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json
+++ b/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--76f5f0df-918e-444c-ae5c-6f7b43cc613e",
+ "id": "bundle--348ba3cd-ccfb-4d62-bd80-afe822635aab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json b/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json
index ce2f03dd7a..1d44b6a62c 100644
--- a/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json
+++ b/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4051bcd3-ecb0-4eaa-b980-33ceb5f11be3",
+ "id": "bundle--c6e467e6-c308-49db-9836-3a99d90cde38",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json b/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json
index f11ecdc5f2..df461bec8f 100644
--- a/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json
+++ b/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7406e6c1-6e19-4698-84a2-4e53bb4ef27a",
+ "id": "bundle--cca669fc-96b9-4354-9442-bd9ae4318c9c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json b/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json
index 3bd798e5f5..bbcb436913 100644
--- a/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json
+++ b/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--48417762-1762-4ba0-ad2e-357a07040c47",
+ "id": "bundle--31da73e6-dd03-4f7d-b384-d180857fd86a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json b/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json
index c4da92451e..5f5318ab68 100644
--- a/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json
+++ b/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4368f68c-1099-4b03-9a68-786c833c910b",
+ "id": "bundle--3ada1ee2-4e0a-48e2-a3f9-33dc3cce6d15",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json b/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json
index ee5aa26fce..942f175515 100644
--- a/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json
+++ b/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c325778c-f40f-49b7-9fbb-9722c529798e",
+ "id": "bundle--88d42f87-5cb7-42fd-bbe1-e65aaeaf9019",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json b/mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json
index 3f87e5f6ce..e1e1a8e617 100644
--- a/mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json
+++ b/mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7a55cb72-269e-443d-9811-3d8d4458f60a",
+ "id": "bundle--72e5ad86-de01-427d-b7b5-08f64f9f4201",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json b/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json
index 96f35ff895..10e04519be 100644
--- a/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json
+++ b/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2271986b-277a-425e-a9a5-a11009a796be",
+ "id": "bundle--a1d84452-c0ea-4f19-8ac3-4f43856335b6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json b/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json
index 1d49fd9312..9615145bd0 100644
--- a/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json
+++ b/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--321025e3-00c4-4387-b714-233852b5514f",
+ "id": "bundle--4f8dafa4-5912-4618-9b1f-12d708c00634",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json b/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json
index 4e8cf37808..49390f730d 100644
--- a/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json
+++ b/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--61fa1323-ecb0-4703-b15f-937912c019e1",
+ "id": "bundle--7782c539-4eaa-4510-9aa0-6dbd0bf37a36",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json b/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json
index 4bc5201403..3a68fc7071 100644
--- a/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json
+++ b/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6b49ef1-5fcf-4ae8-9c5c-7741760508dd",
+ "id": "bundle--dc867c15-a129-4a69-81db-83606e9f0889",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json b/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json
index b760d671cf..fbba982be4 100644
--- a/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json
+++ b/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--06c4094a-15de-4d0c-b860-bbed8e3f7bf4",
+ "id": "bundle--0cb708ab-9d8a-43e2-8c77-2adf5c5d9bda",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json b/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json
index 9317ff6ca3..8b6ed3229c 100644
--- a/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json
+++ b/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a70fd926-3fa2-483e-9502-e0abbf06881d",
+ "id": "bundle--4a97cd90-87ee-4857-8282-4bfbc44c5521",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json b/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json
index 4848164410..1bced8e1e8 100644
--- a/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json
+++ b/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4c470dc-96e4-4951-bd04-8c27d706eef3",
+ "id": "bundle--74b604ba-2172-403e-a6bc-add87a01ba9e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json b/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json
index a78eb4998a..8c53c73b8f 100644
--- a/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json
+++ b/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ce541447-f339-4b9c-ab47-f6170e6dcfa8",
+ "id": "bundle--30873075-57a4-4148-b32d-3a4b4d9ef4a5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json b/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json
index a2755fda67..d0bd885158 100644
--- a/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json
+++ b/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e7b9b716-4ec2-4e11-84b4-7baca032afbf",
+ "id": "bundle--ac46f247-937d-4a9d-abf4-89506eab8389",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json b/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json
index c04598b49f..2e8dc2e454 100644
--- a/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json
+++ b/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3da470be-b74b-4bc9-a353-f7d5f69eaa90",
+ "id": "bundle--d991de18-2102-45fc-b5df-a2059790fbaf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json b/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json
index b10eb2a350..95f90b87d2 100644
--- a/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json
+++ b/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f95bc61-b685-463a-b8b0-2af63d3f929e",
+ "id": "bundle--76027b7a-2500-4849-80d3-bd1986121f01",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json b/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json
index f73461d0c9..eb24d8dab6 100644
--- a/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json
+++ b/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d857fa5-9fb7-4b55-9963-1f4dd97ce2b8",
+ "id": "bundle--2ea00efb-a48a-4abf-9486-3886fa893d7a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json b/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json
index 761fb04c79..07772b65f8 100644
--- a/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json
+++ b/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b8f94c4c-3272-407f-8e04-ff9f03ea2db9",
+ "id": "bundle--b16e8230-0a4a-4801-b49a-e7aaba6a3445",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json b/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json
index 8e30e30358..0db845d2c2 100644
--- a/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json
+++ b/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--24ef7c4f-970d-4438-a110-b6b239c3ab50",
+ "id": "bundle--d83294e0-016d-4712-bbdf-d63fd0dc6b22",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json b/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json
index af704e4be2..b5a73ffa13 100644
--- a/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json
+++ b/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f3649a08-0710-44b0-93c8-9a7f6a612fd7",
+ "id": "bundle--85354285-e836-4ee3-96a1-d0a1b45aba79",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json b/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json
index 7401cb0042..0851ff9d51 100644
--- a/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json
+++ b/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fa0db2ce-acce-452a-9166-c092780fe684",
+ "id": "bundle--00531b05-4fdd-40de-ba5f-e5d98f58ccab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json b/mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json
index d944f58fe4..b5f46646bf 100644
--- a/mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json
+++ b/mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1ee64e09-b3a6-4bdd-8ce7-cae8e2f896ac",
+ "id": "bundle--6d80b0fc-0ec0-49ce-a114-af21a7342706",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--bf064476-25b8-493c-a1e7-dd707b3f7f52.json b/mobile-attack/malware/malware--bf064476-25b8-493c-a1e7-dd707b3f7f52.json
new file mode 100644
index 0000000000..f7cb818b3e
--- /dev/null
+++ b/mobile-attack/malware/malware--bf064476-25b8-493c-a1e7-dd707b3f7f52.json
@@ -0,0 +1,56 @@
+{
+ "type": "bundle",
+ "id": "bundle--7eccae3e-f563-42c8-9715-9eb402e73111",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "malware",
+ "id": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "created": "2025-08-29T21:53:36.156Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1231",
+ "external_id": "S1231"
+ },
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T03:31:15.830Z",
+ "name": "GodFather",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, [GodFather](https://attack.mitre.org/software/S1231) targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. (Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Google's Android Security team"
+ ],
+ "x_mitre_aliases": [
+ "GodFather"
+ ],
+ "labels": [
+ "malware"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json b/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json
index ad02699b86..06a00d7080 100644
--- a/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json
+++ b/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6f66eda-a1c6-4e7e-99c5-fc95a75e29b9",
+ "id": "bundle--14453287-ac0c-40b0-9abf-43d2fccb8b4e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json b/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json
index d453ba9431..af3d610f10 100644
--- a/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json
+++ b/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6dc2df0-a2ba-487d-a356-80e8223e2be1",
+ "id": "bundle--7d11c62a-e264-4275-9435-e49cde7dc44a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json b/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json
index d07df935d3..db6a2a2a39 100644
--- a/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json
+++ b/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aeb55084-8ee4-4b3b-9e4d-870abec6048d",
+ "id": "bundle--baa1bc79-b06d-4090-a78d-52db35eff31c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json b/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json
index 55f863106c..979c4395d9 100644
--- a/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json
+++ b/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b193b245-8e28-4804-85a3-463df9914013",
+ "id": "bundle--0601d64b-0df6-407b-8b29-a0faf4f03beb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json b/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json
index d5c5c7957d..e50eadddcc 100644
--- a/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json
+++ b/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b81d42fe-ac18-43ee-a614-d8f2b5a96e32",
+ "id": "bundle--a1c7a45e-860b-4572-86d0-c1b1c5b959c5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json b/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json
index 6db246b6dd..ec6acf71db 100644
--- a/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json
+++ b/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--04bc6a74-d3a9-4fb9-bb60-7164692c1d41",
+ "id": "bundle--6f3a75a9-ede2-4747-b204-0ebf32b20508",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json b/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json
index 18f2930cf5..b080168804 100644
--- a/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json
+++ b/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bdf9acc6-f29e-4b44-ba79-7ed5eb22253e",
+ "id": "bundle--fc24ea80-ac32-4904-ac4e-0ecd9d5b2df7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json b/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json
index 749c044323..e96b1c193c 100644
--- a/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json
+++ b/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--59029a6a-49d4-4c59-ba2a-e131f3c79b01",
+ "id": "bundle--6761997c-5ec4-4094-9abd-e52aa2d946da",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json b/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json
index 0f395295be..a8179f3f24 100644
--- a/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json
+++ b/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2322e16d-fa97-4422-ae77-4b57b402ab8e",
+ "id": "bundle--bf610fbe-37cb-4615-865a-e36d70775503",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json b/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json
index ca796f46b5..27642627cb 100644
--- a/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json
+++ b/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94cbb910-fe66-4b07-96b6-ffd938cd5337",
+ "id": "bundle--8023d64f-6e0b-43fc-a828-dffc3d01b6ee",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json b/mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json
index d39dbe4409..8e8ed66eb8 100644
--- a/mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json
+++ b/mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8cf26a17-ca61-4729-bfec-edafe1511325",
+ "id": "bundle--664fc83b-4ce8-4f79-ac73-3922f7a71675",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json b/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json
index 472bb5fffb..199c7a69df 100644
--- a/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json
+++ b/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5912039b-3cbe-4802-8e46-a6efe87bf171",
+ "id": "bundle--f29783ef-98df-47f8-8923-e3194419ecb5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json b/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json
index 4f1a39d120..c927962ffd 100644
--- a/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json
+++ b/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--01497b50-09cb-4253-b61e-39365d23bf52",
+ "id": "bundle--2e90bace-b337-4004-98fe-260d93615549",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json b/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json
index 0a4d2a0c0e..c52f707618 100644
--- a/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json
+++ b/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e89eea32-ced8-416a-9116-0559d6b4d0f5",
+ "id": "bundle--33cdf2e5-bb7d-4a42-88c5-195c911c070a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json b/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json
index 8b32c98530..c61c277831 100644
--- a/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json
+++ b/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b7fc145d-0598-485e-9044-26062f70ce3b",
+ "id": "bundle--cb3aff6b-c161-4817-9319-72f4d860fc8c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json b/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json
index 133ed026b4..19c5866aa9 100644
--- a/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json
+++ b/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3901e4b1-098f-4cfe-8f8e-c2d304c8c392",
+ "id": "bundle--01c7c618-af29-43ed-8530-85cb274008c9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json b/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json
index 3f5f3a0da9..c80597ee71 100644
--- a/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json
+++ b/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5739ab0a-1838-49df-a773-3e30d647351f",
+ "id": "bundle--75ef4d4f-a179-4336-a6a8-54ca15a5557e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json b/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json
index b3d41ba7b3..6e4dd6a133 100644
--- a/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json
+++ b/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a22c533d-5684-42aa-aeee-051a52939e12",
+ "id": "bundle--5b5912b0-10bb-489d-91e2-c996ca66b6be",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json b/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json
index 0373d522a3..1ae70fa131 100644
--- a/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json
+++ b/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--71a6bd90-18a9-4eac-8b3f-c09d460f0809",
+ "id": "bundle--9b236da3-2454-4736-bb14-e2c39be8ae89",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json b/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json
index 2950650afc..8d39c03a2c 100644
--- a/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json
+++ b/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8e7ee18-7f60-42e5-904c-eb230fa9c3eb",
+ "id": "bundle--c77b83bd-1a4c-4d8f-93de-a5f7639cf61a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json b/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json
index a0a0e96895..b0d1c214fb 100644
--- a/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json
+++ b/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d49725b3-e9fd-4490-bf7f-0796401099fd",
+ "id": "bundle--9682ae65-1e73-4834-877a-4c91900d5d7c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json b/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json
index 33fab72cd5..679e9df1a2 100644
--- a/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json
+++ b/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--34fa579b-c98e-4f42-b55c-ab317cef5e89",
+ "id": "bundle--6ad69602-9168-4e2a-96f6-5716b06cf86a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json b/mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json
index f3e99f6200..4287705230 100644
--- a/mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json
+++ b/mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c4244e64-81ee-43cb-a624-8fc42a1f5289",
+ "id": "bundle--ccbae539-7503-406f-a199-a799b38f4f68",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json b/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json
index e2f7a82edc..0391e15cdc 100644
--- a/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json
+++ b/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--758e8948-0925-4c67-ac6a-0ebdd0ab664c",
+ "id": "bundle--d713dc5d-1896-4a0d-8b39-8122b6ce6a6d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json b/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json
index f71c8801f9..50d7ce9377 100644
--- a/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json
+++ b/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da955984-860d-4bbd-91f3-9cbe99e5b399",
+ "id": "bundle--313ed275-4124-4881-a959-05f2a7ad50bc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json b/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json
index 4777b33527..9f43039752 100644
--- a/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json
+++ b/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a8f7e53-eff6-44fd-823e-9cf94781e09f",
+ "id": "bundle--264d9f0a-0147-46af-b748-99a5d72a6cb1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json b/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json
index c28da694e7..642dbf48ba 100644
--- a/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json
+++ b/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6750ddd2-7ba4-48d0-9da2-2fa41d15d996",
+ "id": "bundle--6300446d-ab54-4cdd-a55a-a84e75fca0ba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json b/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json
index 7cffff9822..1454d7382b 100644
--- a/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json
+++ b/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--370f9ca2-4b91-4485-804b-1d62165e7fec",
+ "id": "bundle--f1fa16d9-05ed-48f4-8b55-f95e5c6503ff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json b/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json
index d2186c6bc6..27f37be0c9 100644
--- a/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json
+++ b/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--afda4544-a453-49f3-88ec-002deb232c54",
+ "id": "bundle--3e1a8c2d-dd80-41ca-b6ee-db6c70e45218",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json b/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json
index de72306171..109f54a85b 100644
--- a/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json
+++ b/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--321e2917-9a2d-4ebb-904e-0bde199ee765",
+ "id": "bundle--90ce52f7-f1df-4dee-92f9-fbb8e62d5864",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json b/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json
index 97d4426531..b09feb6cf8 100644
--- a/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json
+++ b/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94bcf961-77c2-475e-8118-41562196d8a8",
+ "id": "bundle--8792a439-0306-4cee-8377-ba9bfd1b43fb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json b/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json
index f406197bd0..2a7153774d 100644
--- a/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json
+++ b/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--84890ff1-2e3f-46fc-901e-8fdb1a5ca34f",
+ "id": "bundle--891ac698-c611-48bb-88c2-bb7d69b9014c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json b/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json
index 584675aca9..fd0afc0257 100644
--- a/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json
+++ b/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7497ed3e-9e98-435a-a78d-51712c3b7cbf",
+ "id": "bundle--95c132c0-e2e6-4eb5-94db-ee51eb0e7a45",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json b/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json
index 4c1d317822..99789eab5b 100644
--- a/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json
+++ b/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a89b3a6d-144c-4b91-ae62-f3cbe3f0cff3",
+ "id": "bundle--d7897d21-aca3-456b-aa9e-09fc6cc50958",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json b/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json
index 3a11b653d6..fd975fd8f3 100644
--- a/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json
+++ b/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a547e46b-33c0-423f-a640-7bc1441449ef",
+ "id": "bundle--550b8e1c-841e-48c2-9a6c-c6103d1910a3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json b/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json
index a4f6b2f897..f9b9cac4ca 100644
--- a/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json
+++ b/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc86bae9-0661-4d4a-976f-7dd944e777e7",
+ "id": "bundle--3553a4ac-dc11-4554-a640-79bc81fa9b48",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
index 15f47e8cad..04ae81bd7e 100644
--- a/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
+++ b/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8ccf7cd2-b5c5-41a2-beba-3027693b7dd5",
+ "id": "bundle--52303e22-8873-42fd-8a27-cdf8523fedaa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/mobile-attack.json b/mobile-attack/mobile-attack.json
index a418cd5cb0..63867fd204 100644
--- a/mobile-attack/mobile-attack.json
+++ b/mobile-attack/mobile-attack.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--efcd6a1f-1bef-46ed-9811-e86464c908c6",
+ "id": "bundle--714b62b3-f0d6-467f-89b9-49c62ea75d24",
"objects": [
{
"type": "x-mitre-matrix",
@@ -1563,14 +1563,19 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:06.355Z",
+ "modified": "2025-10-24T03:53:35.020Z",
"name": "Chameleon",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of [Chameleon](https://attack.mitre.org/software/S1083) has expanded its targets to include Android users in the United Kingdom and Italy.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
@@ -1579,12 +1584,13 @@
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
- "Yasuhito Kawanishi, NEC Corporation",
+ "Liran Ravich, CardinalOps",
"Manikantan Srinivasan, NEC Corporation India",
- "Pooja Natarajan, NEC Corporation India"
+ "Pooja Natarajan, NEC Corporation India",
+ "Yasuhito Kawanishi, NEC Corporation"
],
"x_mitre_aliases": [
"Chameleon"
@@ -2086,6 +2092,50 @@
"malware"
]
},
+ {
+ "type": "malware",
+ "id": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "created": "2025-06-25T15:32:53.278Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1225",
+ "external_id": "S1225"
+ },
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-23T20:45:51.613Z",
+ "name": "CherryBlos",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. [CherryBlos](https://attack.mitre.org/software/S1225) was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind [CherryBlos](https://attack.mitre.org/software/S1225) uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Liran Ravich, CardinalOps"
+ ],
+ "x_mitre_aliases": [
+ "CherryBlos"
+ ],
+ "labels": [
+ "malware"
+ ]
+ },
{
"type": "malware",
"id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
@@ -2878,6 +2928,94 @@
"malware"
]
},
+ {
+ "type": "malware",
+ "id": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "created": "2025-09-18T14:36:13.709Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1241",
+ "external_id": "S1241"
+ },
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T03:26:04.908Z",
+ "name": "RatMilad",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of [RatMilad](https://attack.mitre.org/software/S1241) have been disguised as VPN applications and a fake app named NumRent. Upon installation, [RatMilad](https://attack.mitre.org/software/S1241) employs multiple [Collection](https://attack.mitre.org/tactics/TA0035) techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. (Citation: ZimperiumGupta_RatMilad_Oct2022)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Google's Android Security team"
+ ],
+ "x_mitre_aliases": [
+ "RatMilad"
+ ],
+ "labels": [
+ "malware"
+ ]
+ },
+ {
+ "type": "malware",
+ "id": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "created": "2025-10-08T14:33:07.304Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1243",
+ "external_id": "S1243"
+ },
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T03:50:18.603Z",
+ "name": "DCHSpy",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) is an Android spyware likely used by [MuddyWater](https://attack.mitre.org/groups/G0069). [DCHSpy](https://attack.mitre.org/software/S1243) uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, [DCHSpy](https://attack.mitre.org/software/S1243) collects information from the device and exfiltrates the data to the command and control (C2) server.(Citation: Lookout_DCHSpy_July2025) ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Kaung Khant Ko"
+ ],
+ "x_mitre_aliases": [
+ "DCHSpy"
+ ],
+ "labels": [
+ "malware"
+ ]
+ },
{
"type": "malware",
"id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
@@ -4058,6 +4196,55 @@
"malware"
]
},
+ {
+ "type": "malware",
+ "id": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "created": "2025-08-29T21:53:36.156Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1231",
+ "external_id": "S1231"
+ },
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T03:31:15.830Z",
+ "name": "GodFather",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, [GodFather](https://attack.mitre.org/software/S1231) targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. (Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Google's Android Security team"
+ ],
+ "x_mitre_aliases": [
+ "GodFather"
+ ],
+ "labels": [
+ "malware"
+ ]
+ },
{
"type": "malware",
"id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
@@ -6012,27 +6199,28 @@
"id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
"created": "2020-11-04T16:43:31.619Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1603",
"external_id": "T1603"
},
- {
- "source_name": "Android WorkManager",
- "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.",
- "url": "https://developer.android.com/topic/libraries/architecture/workmanager"
- },
{
"source_name": "Apple NSBackgroundActivityScheduler",
"description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.",
"url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler"
+ },
+ {
+ "source_name": "Android WorkManager",
+ "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.",
+ "url": "https://developer.android.com/topic/libraries/architecture/workmanager"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:26.617Z",
+ "modified": "2025-10-24T17:48:18.936Z",
"name": "Scheduled Task/Job",
"description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)",
"kill_chain_phases": [
@@ -6045,12 +6233,12 @@
"phase_name": "persistence"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Lorin Wu, Trend Micro"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6096,7 +6284,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:35.582Z",
+ "modified": "2025-10-24T17:48:20.267Z",
"name": "Code Injection",
"description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n",
"kill_chain_phases": [
@@ -6115,7 +6303,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6131,29 +6319,6 @@
]
},
{
- "modified": "2024-02-07T18:10:46.887Z",
- "name": "Adversary-in-the-Middle",
- "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "2.2",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
"created": "2022-04-05T20:11:08.894Z",
@@ -6214,8 +6379,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:21.401Z",
+ "name": "Adversary-in-the-Middle",
+ "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "2.2",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -6238,7 +6426,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:43.814Z",
+ "modified": "2025-10-24T17:48:21.493Z",
"name": "Abuse Elevation Control Mechanism",
"description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ",
"kill_chain_phases": [
@@ -6249,7 +6437,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6302,45 +6490,6 @@
],
"x_mitre_version": "1.0"
},
- {
- "type": "attack-pattern",
- "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
- "created": "2017-10-25T14:48:08.155Z",
- "revoked": true,
- "external_references": [
- {
- "source_name": "mitre-mobile-attack",
- "url": "https://attack.mitre.org/techniques/T1454",
- "external_id": "T1454"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-25T15:16:27.255Z",
- "name": "Malicious SMS Message",
- "description": "Test",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Android"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ]
- },
{
"type": "attack-pattern",
"id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
@@ -6377,7 +6526,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:35.994Z",
+ "modified": "2025-10-24T17:48:22.923Z",
"name": "Obtain Device Cloud Backups",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
"kill_chain_phases": [
@@ -6388,7 +6537,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6424,7 +6573,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.210Z",
+ "modified": "2025-10-24T17:48:23.278Z",
"name": "Uninstall Malicious Application",
"description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
"kill_chain_phases": [
@@ -6435,7 +6584,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6470,7 +6619,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.391Z",
+ "modified": "2025-10-24T17:48:23.556Z",
"name": "Indicator Removal on Host",
"description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.",
"kill_chain_phases": [
@@ -6481,7 +6630,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6497,29 +6646,6 @@
]
},
{
- "modified": "2024-11-17T13:32:52.029Z",
- "name": "Supply Chain Compromise",
- "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "2.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"created": "2018-10-17T00:14:20.652Z",
@@ -6660,34 +6786,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
- },
- {
- "modified": "2025-01-21T16:22:43.947Z",
- "name": "Impersonate SS7 Nodes",
- "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
+ "modified": "2025-10-24T17:48:23.643Z",
+ "name": "Supply Chain Compromise",
+ "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "discovery"
+ "phase_name": "initial-access"
}
],
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_is_subtechnique": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
- "x_mitre_version": "1.1",
+ "x_mitre_version": "2.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
+ },
+ {
"type": "attack-pattern",
"id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
"created": "2022-04-05T19:49:58.938Z",
@@ -6737,8 +6862,32 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:24.309Z",
+ "name": "Impersonate SS7 Nodes",
+ "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "discovery"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
@@ -6808,10 +6957,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:27.908Z",
+ "modified": "2025-10-24T17:48:25.548Z",
"name": "Insecure Third-Party Libraries",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6840,7 +6990,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.829Z",
+ "modified": "2025-10-24T17:48:25.642Z",
"name": "Protected User Data",
"description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -6851,7 +7001,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6881,7 +7031,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:44.987Z",
+ "modified": "2025-10-24T17:48:26.898Z",
"name": "Asymmetric Cryptography",
"description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).",
"kill_chain_phases": [
@@ -6892,7 +7042,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6928,7 +7078,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.152Z",
+ "modified": "2025-10-24T17:48:27.789Z",
"name": "Software Discovery",
"description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ",
"kill_chain_phases": [
@@ -6939,7 +7089,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -6975,7 +7125,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.337Z",
+ "modified": "2025-10-24T17:48:28.244Z",
"name": "Process Discovery",
"description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ",
"kill_chain_phases": [
@@ -6986,7 +7136,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7022,7 +7172,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.503Z",
+ "modified": "2025-10-24T17:48:29.311Z",
"name": "Call Log",
"description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -7033,7 +7183,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7069,7 +7219,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.687Z",
+ "modified": "2025-10-24T17:48:29.485Z",
"name": "Security Software Discovery",
"description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ",
"kill_chain_phases": [
@@ -7080,7 +7230,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7110,10 +7260,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:28.664Z",
+ "modified": "2025-10-24T17:48:30.211Z",
"name": "App Delivered via Email Attachment",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7152,7 +7303,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.841Z",
+ "modified": "2025-10-24T17:48:30.394Z",
"name": "Ptrace System Calls",
"description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.",
"kill_chain_phases": [
@@ -7167,7 +7318,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7208,7 +7359,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:45.996Z",
+ "modified": "2025-10-24T17:48:30.589Z",
"name": "Impair Defenses",
"description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.",
"kill_chain_phases": [
@@ -7219,7 +7370,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7238,34 +7389,30 @@
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"created": "2017-10-25T14:48:08.613Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"external_references": [
{
- "source_name": "mitre-mobile-attack",
+ "source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1453",
"external_id": "T1453"
},
{
- "source_name": "Skycure-Accessibility",
- "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
- "url": "https://www.skycure.com/blog/accessibility-clickjacking/"
+ "source_name": "Google_AndroidAcsOverview",
+ "description": "Google. (n.d.). Android accessibility overview. Retrieved April 17, 2025.",
+ "url": "https://support.google.com/accessibility/android/answer/6006564?hl=en&ref_topic=6007234&sjid=9936713164149272548-NA"
},
{
- "source_name": "android-trojan-steals-paypal-2fa",
- "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
- "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
- },
- {
- "source_name": "banking-trojans-google-play",
- "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019.",
- "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/"
+ "source_name": "SahinSRLabs_FluBot_Dec2021",
+ "description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.",
+ "url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:29.002Z",
+ "modified": "2025-10-27T17:12:01.143Z",
"name": "Abuse Accessibility Features",
- "description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)",
+ "description": "Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device\u2019s user interface, such as changing the font size and adjusting contract or colors.(Citation: Google_AndroidAcsOverview) \n\nOne example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) \n\nAnother example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) This method of attack is also described in [Keylogging](https://attack.mitre.org/techniques/T1417/001); whereas [Abuse Accessibility Features](https://attack.mitre.org/techniques/T1453) captures the overall abuse of accessibility features. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
@@ -7274,21 +7421,15 @@
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "impact"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
- "Luk\u00e1\u0161 \u0160tefanko, ESET"
+ "Luk\u00e1\u0161 \u0160tefanko, ESET",
+ "Liran Ravich, CardinalOps"
],
- "x_mitre_deprecated": true,
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7297,10 +7438,7 @@
"x_mitre_platforms": [
"Android"
],
- "x_mitre_version": "2.0",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ]
+ "x_mitre_version": "3.0"
},
{
"type": "attack-pattern",
@@ -7323,7 +7461,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.157Z",
+ "modified": "2025-10-24T17:48:31.144Z",
"name": "Exploitation of Remote Services",
"description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ",
"kill_chain_phases": [
@@ -7334,7 +7472,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7370,7 +7508,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.363Z",
+ "modified": "2025-10-24T17:48:31.318Z",
"name": "Web Protocols",
"description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ",
"kill_chain_phases": [
@@ -7381,7 +7519,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7397,29 +7535,6 @@
]
},
{
- "modified": "2023-12-26T19:17:13.294Z",
- "name": "Steal Application Access Token",
- "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "credential-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
"created": "2022-04-01T15:12:50.740Z",
@@ -7460,8 +7575,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:31.876Z",
+ "name": "Steal Application Access Token",
+ "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "credential-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -7479,7 +7617,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.535Z",
+ "modified": "2025-10-24T17:48:32.337Z",
"name": "User Evasion",
"description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
"kill_chain_phases": [
@@ -7490,7 +7628,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7520,7 +7658,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.725Z",
+ "modified": "2025-10-24T17:48:32.877Z",
"name": "Virtualization/Sandbox Evasion",
"description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ",
"kill_chain_phases": [
@@ -7531,7 +7669,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7577,7 +7715,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:36.750Z",
+ "modified": "2025-10-24T17:48:32.963Z",
"name": "Keychain",
"description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)",
"kill_chain_phases": [
@@ -7588,7 +7726,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7738,7 +7876,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:46.879Z",
+ "modified": "2025-10-24T17:48:33.677Z",
"name": "Command and Scripting Interpreter",
"description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ",
"kill_chain_phases": [
@@ -7749,7 +7887,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7780,7 +7918,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.026Z",
+ "modified": "2025-10-24T17:48:33.763Z",
"name": "Disable or Modify Tools",
"description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.",
"kill_chain_phases": [
@@ -7791,7 +7929,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view a list of active device administrators in the device settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7821,7 +7959,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.175Z",
+ "modified": "2025-10-24T17:48:34.355Z",
"name": "Ingress Tool Transfer",
"description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.",
"kill_chain_phases": [
@@ -7832,7 +7970,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7868,7 +8006,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.329Z",
+ "modified": "2025-10-24T17:48:34.706Z",
"name": "Dynamic Resolution",
"description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
"kill_chain_phases": [
@@ -7879,7 +8017,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -7977,7 +8115,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.481Z",
+ "modified": "2025-10-24T17:48:35.175Z",
"name": "Network Service Scanning",
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
"kill_chain_phases": [
@@ -7988,7 +8126,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8019,7 +8157,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:37.306Z",
+ "modified": "2025-10-24T17:48:35.718Z",
"name": "User Evasion",
"description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
"kill_chain_phases": [
@@ -8030,7 +8168,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8065,7 +8203,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.650Z",
+ "modified": "2025-10-24T17:48:36.720Z",
"name": "Exfiltration Over C2 Channel",
"description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
"kill_chain_phases": [
@@ -8076,7 +8214,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8091,6 +8229,53 @@
"Post-Adversary Device Access"
]
},
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "created": "2025-09-17T14:58:52.520Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1636/005",
+ "external_id": "T1636.005"
+ },
+ {
+ "source_name": "Android_AccountManager_Feb2025",
+ "description": "Android. (2025, February 13). AccountManager. Retrieved September 2, 2025.",
+ "url": "https://developer.android.com/reference/android/accounts/AccountManager"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-17T15:21:58.225Z",
+ "name": "Accounts",
+ "description": "Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the `getAccounts()` method to list all accounts.(Citation: Android_AccountManager_Feb2025) On iOS, this can be accomplished by using the Keychain services. \n\nIf the device has been jailbroken or rooted, adversaries may be able to access [Accounts](https://attack.mitre.org/techniques/T1636/005) without the users\u2019 knowledge or approval. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Google's Android Security team"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.0"
+ },
{
"type": "attack-pattern",
"id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
@@ -8112,7 +8297,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.809Z",
+ "modified": "2025-10-24T17:48:38.088Z",
"name": "Exploitation for Privilege Escalation",
"description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ",
"kill_chain_phases": [
@@ -8123,7 +8308,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8179,7 +8364,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:47.962Z",
+ "modified": "2025-10-24T17:48:38.183Z",
"name": "Call Control",
"description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.",
"kill_chain_phases": [
@@ -8201,7 +8386,7 @@
"Gaetan van Diemen, ThreatFabric"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8236,7 +8421,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.130Z",
+ "modified": "2025-10-24T17:48:38.977Z",
"name": "Exfiltration Over Unencrypted Non-C2 Protocol",
"description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
"kill_chain_phases": [
@@ -8247,7 +8432,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8283,7 +8468,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.286Z",
+ "modified": "2025-10-24T17:48:39.155Z",
"name": "Broadcast Receivers",
"description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ",
"kill_chain_phases": [
@@ -8297,7 +8482,7 @@
"Alex Hinchliffe, Palo Alto Networks"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8435,7 +8620,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.448Z",
+ "modified": "2025-10-24T17:48:40.140Z",
"name": "Access Notifications",
"description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ",
"kill_chain_phases": [
@@ -8450,7 +8635,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8485,7 +8670,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:37.855Z",
+ "modified": "2025-10-24T17:48:40.404Z",
"name": "Network Traffic Capture or Redirection",
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.",
"kill_chain_phases": [
@@ -8500,7 +8685,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8596,7 +8781,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:38.043Z",
+ "modified": "2025-10-24T17:48:41.397Z",
"name": "Input Prompt",
"description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)",
"kill_chain_phases": [
@@ -8607,7 +8792,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8643,7 +8828,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.656Z",
+ "modified": "2025-10-24T17:48:41.491Z",
"name": "Exfiltration Over Alternative Protocol",
"description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ",
"kill_chain_phases": [
@@ -8654,7 +8839,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8728,10 +8913,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:31.363Z",
+ "modified": "2025-10-24T17:48:43.592Z",
"name": "Biometric Spoofing",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8770,7 +8956,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:48.836Z",
+ "modified": "2025-10-24T17:48:43.758Z",
"name": "Boot or Logon Initialization Scripts",
"description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ",
"kill_chain_phases": [
@@ -8781,7 +8967,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -8797,29 +8983,6 @@
]
},
{
- "modified": "2024-11-17T18:31:54.804Z",
- "name": "Execution Guardrails",
- "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
"created": "2022-03-30T20:31:16.624Z",
@@ -8840,29 +9003,23 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
- },
- {
- "modified": "2024-11-17T18:58:58.592Z",
- "name": "GUI Input Capture",
- "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
+ "modified": "2025-10-24T17:48:44.210Z",
+ "name": "Execution Guardrails",
+ "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
- "phase_name": "credential-access"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
+ "phase_name": "defense-evasion"
}
],
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_is_subtechnique": true,
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
@@ -8870,7 +9027,9 @@
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
- ],
+ ]
+ },
+ {
"type": "attack-pattern",
"id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
"created": "2022-04-05T19:48:31.195Z",
@@ -8941,8 +9100,35 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:45.045Z",
+ "name": "GUI Input Capture",
+ "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "credential-access"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -8965,7 +9151,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:38.397Z",
+ "modified": "2025-10-24T17:48:45.330Z",
"name": "Access Contact List",
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
"kill_chain_phases": [
@@ -8976,7 +9162,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9017,7 +9203,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.029Z",
+ "modified": "2025-10-24T17:48:45.611Z",
"name": "Compromise Client Software Binary",
"description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ",
"kill_chain_phases": [
@@ -9028,7 +9214,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9059,7 +9245,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.224Z",
+ "modified": "2025-10-24T17:48:46.514Z",
"name": "Software Packing",
"description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.",
"kill_chain_phases": [
@@ -9070,7 +9256,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9100,10 +9286,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:31.975Z",
+ "modified": "2025-10-24T17:48:46.777Z",
"name": "Abuse of iOS Enterprise App Signing Key",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9161,7 +9348,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:38.781Z",
+ "modified": "2025-10-24T17:48:47.128Z",
"name": "Exploit SS7 to Track Device Location",
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)",
"kill_chain_phases": [
@@ -9172,7 +9359,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9213,7 +9400,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.389Z",
+ "modified": "2025-10-24T17:48:47.482Z",
"name": "Native API",
"description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
"kill_chain_phases": [
@@ -9228,7 +9415,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9293,7 +9480,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.001Z",
+ "modified": "2025-10-24T17:48:47.664Z",
"name": "Deliver Malicious App via Other Means",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)",
"kill_chain_phases": [
@@ -9304,7 +9491,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9350,7 +9537,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.181Z",
+ "modified": "2025-10-24T17:48:47.844Z",
"name": "Remotely Wipe Data Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).",
"kill_chain_phases": [
@@ -9361,7 +9548,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9442,7 +9629,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.548Z",
+ "modified": "2025-10-24T17:48:50.301Z",
"name": "Proxy Through Victim",
"description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.",
"kill_chain_phases": [
@@ -9453,7 +9640,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9493,7 +9680,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.358Z",
+ "modified": "2025-10-24T17:48:50.736Z",
"name": "Domain Generation Algorithms",
"description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.",
"kill_chain_phases": [
@@ -9504,7 +9691,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9540,7 +9727,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:39.545Z",
+ "modified": "2025-10-24T17:48:51.462Z",
"name": "Access Calendar Entries",
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
"kill_chain_phases": [
@@ -9551,7 +9738,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9664,7 +9851,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.743Z",
+ "modified": "2025-10-24T17:48:52.197Z",
"name": "Foreground Persistence",
"description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)",
"kill_chain_phases": [
@@ -9682,7 +9869,7 @@
"Lorin Wu, Trend Micro"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9828,7 +10015,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:49.937Z",
+ "modified": "2025-10-24T17:48:52.833Z",
"name": "Audio Capture",
"description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)",
"kill_chain_phases": [
@@ -9839,7 +10026,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9875,7 +10062,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.121Z",
+ "modified": "2025-10-24T17:48:53.101Z",
"name": "Hijack Execution Flow",
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.",
"kill_chain_phases": [
@@ -9886,7 +10073,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9921,7 +10108,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.314Z",
+ "modified": "2025-10-24T17:48:54.078Z",
"name": "Unix Shell",
"description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ",
"kill_chain_phases": [
@@ -9932,7 +10119,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -9968,7 +10155,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.479Z",
+ "modified": "2025-10-24T17:48:54.576Z",
"name": "Application Layer Protocol",
"description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.",
"kill_chain_phases": [
@@ -9979,7 +10166,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10009,10 +10196,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:33.241Z",
+ "modified": "2025-10-24T17:48:55.097Z",
"name": "App Delivered via Web Download",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10046,7 +10234,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.660Z",
+ "modified": "2025-10-24T17:48:55.445Z",
"name": "Download New Code at Runtime",
"description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
"kill_chain_phases": [
@@ -10057,7 +10245,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10142,7 +10330,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.105Z",
+ "modified": "2025-10-24T17:48:55.981Z",
"name": "Remotely Track Device Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)",
"kill_chain_phases": [
@@ -10153,7 +10341,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10184,7 +10372,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.837Z",
+ "modified": "2025-10-24T17:48:56.336Z",
"name": "System Checks",
"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ",
"kill_chain_phases": [
@@ -10195,7 +10383,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10211,29 +10399,6 @@
]
},
{
- "modified": "2024-11-17T18:31:54.805Z",
- "name": "Stored Application Data",
- "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "3.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"created": "2017-10-25T14:48:15.402Z",
@@ -10259,8 +10424,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:56.509Z",
+ "name": "Stored Application Data",
+ "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "3.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -10308,7 +10496,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:50.988Z",
+ "modified": "2025-10-24T17:48:57.610Z",
"name": "Screen Capture",
"description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ",
"kill_chain_phases": [
@@ -10319,7 +10507,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10354,7 +10542,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.156Z",
+ "modified": "2025-10-24T17:48:57.794Z",
"name": "Transmitted Data Manipulation",
"description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
"kill_chain_phases": [
@@ -10365,7 +10553,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10447,7 +10635,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.453Z",
+ "modified": "2025-10-24T17:48:58.596Z",
"name": "URI Hijacking",
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)",
"kill_chain_phases": [
@@ -10458,7 +10646,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10474,29 +10662,6 @@
]
},
{
- "modified": "2024-11-17T13:32:52.030Z",
- "name": "Compromise Software Dependencies and Development Tools",
- "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
"created": "2022-03-28T19:31:51.978Z",
@@ -10547,8 +10712,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:48:58.857Z",
+ "name": "Compromise Software Dependencies and Development Tools",
+ "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "initial-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -10596,7 +10784,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.634Z",
+ "modified": "2025-10-24T17:48:58.965Z",
"name": "Evade Analysis Environment",
"description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n",
"kill_chain_phases": [
@@ -10611,7 +10799,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10646,7 +10834,7 @@
{
"source_name": "Trend Micro iOS URL Hijacking",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
+ "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
},
{
"source_name": "IETF-PKCE",
@@ -10662,7 +10850,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.304Z",
+ "modified": "2025-10-24T17:48:59.057Z",
"name": "URI Hijacking",
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ",
"kill_chain_phases": [
@@ -10671,13 +10859,13 @@
"phase_name": "credential-access"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Leo Zhang, Trend Micro",
"Steven Du, Trend Micro"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10713,7 +10901,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.458Z",
+ "modified": "2025-10-24T17:48:59.522Z",
"name": "Subvert Trust Controls",
"description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ",
"kill_chain_phases": [
@@ -10724,7 +10912,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10760,7 +10948,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:40.824Z",
+ "modified": "2025-10-24T17:48:59.691Z",
"name": "Access Call Log",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
"kill_chain_phases": [
@@ -10771,7 +10959,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10817,7 +11005,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:41.041Z",
+ "modified": "2025-10-24T17:49:02.464Z",
"name": "Geofencing",
"description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.",
"kill_chain_phases": [
@@ -10828,7 +11016,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10869,7 +11057,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:41.218Z",
+ "modified": "2025-10-24T17:49:02.729Z",
"name": "Device Administrator Permissions",
"description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device\u2019s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
"kill_chain_phases": [
@@ -10880,7 +11068,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10909,10 +11097,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:34.865Z",
+ "modified": "2025-10-24T17:49:02.916Z",
"name": "Remotely Install Application",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10951,7 +11140,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.670Z",
+ "modified": "2025-10-24T17:49:03.949Z",
"name": "Keychain",
"description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ",
"kill_chain_phases": [
@@ -10962,7 +11151,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -10997,7 +11186,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:41.585Z",
+ "modified": "2025-10-24T17:49:04.473Z",
"name": "Modify Cached Executable Code",
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
"kill_chain_phases": [
@@ -11008,7 +11197,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11030,7 +11219,7 @@
"revoked": true,
"external_references": [
{
- "source_name": "mitre-mobile-attack",
+ "source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1419",
"external_id": "T1419"
},
@@ -11043,7 +11232,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:35.161Z",
+ "modified": "2025-09-08T16:32:57.531Z",
"name": "Device Type Discovery",
"description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.",
"kill_chain_phases": [
@@ -11052,8 +11241,9 @@
"phase_name": "discovery"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11185,7 +11375,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:42.129Z",
+ "modified": "2025-10-24T17:49:05.463Z",
"name": "Delete Device Data",
"description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
"kill_chain_phases": [
@@ -11200,7 +11390,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11240,7 +11430,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:42.305Z",
+ "modified": "2025-10-24T17:49:05.648Z",
"name": "Carrier Billing Fraud",
"description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).",
"kill_chain_phases": [
@@ -11251,7 +11441,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11273,24 +11463,19 @@
"revoked": true,
"external_references": [
{
- "source_name": "mitre-mobile-attack",
+ "source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1415",
"external_id": "T1415"
},
- {
- "source_name": "NIST Mobile Threat Catalogue",
- "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
- "external_id": "AUT-10"
- },
{
"source_name": "FireEye-Masque2",
"description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html"
},
{
- "source_name": "Dhanjani-URLScheme",
- "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
- "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
+ "source_name": "MobileIron-XARA",
+ "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
+ "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
},
{
"source_name": "IETF-PKCE",
@@ -11298,15 +11483,20 @@
"url": "https://tools.ietf.org/html/rfc7636"
},
{
- "source_name": "MobileIron-XARA",
- "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
- "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
+ "source_name": "Dhanjani-URLScheme",
+ "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
+ "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
+ },
+ {
+ "source_name": "NIST Mobile Threat Catalogue",
+ "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
+ "external_id": "AUT-10"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:35.896Z",
+ "modified": "2025-09-08T16:36:02.126Z",
"name": "URL Scheme Hijacking",
"description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).",
"kill_chain_phases": [
@@ -11315,8 +11505,9 @@
"phase_name": "credential-access"
}
],
- "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11346,7 +11537,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.825Z",
+ "modified": "2025-10-24T17:49:06.929Z",
"name": "Bidirectional Communication",
"description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
"kill_chain_phases": [
@@ -11357,7 +11548,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11388,7 +11579,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:51.980Z",
+ "modified": "2025-10-24T17:49:07.116Z",
"name": "Non-Standard Port",
"description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
"kill_chain_phases": [
@@ -11399,7 +11590,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11455,7 +11646,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.139Z",
+ "modified": "2025-10-24T17:49:07.487Z",
"name": "Compromise Software Supply Chain",
"description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.",
"kill_chain_phases": [
@@ -11466,7 +11657,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11497,7 +11688,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.296Z",
+ "modified": "2025-10-24T17:49:07.948Z",
"name": "Dead Drop Resolver",
"description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ",
"kill_chain_phases": [
@@ -11508,7 +11699,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11569,7 +11760,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.460Z",
+ "modified": "2025-10-24T17:49:08.214Z",
"name": "Location Tracking",
"description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)",
"kill_chain_phases": [
@@ -11584,7 +11775,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11620,7 +11811,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.648Z",
+ "modified": "2025-10-24T17:49:08.587Z",
"name": "Device Administrator Permissions",
"description": "Adversaries may abuse Android\u2019s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device\u2019s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
"kill_chain_phases": [
@@ -11631,7 +11822,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11676,7 +11867,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:42.681Z",
+ "modified": "2025-10-24T17:49:09.025Z",
"name": "Device Lockout",
"description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
"kill_chain_phases": [
@@ -11691,7 +11882,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11737,7 +11928,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.807Z",
+ "modified": "2025-10-24T17:49:09.660Z",
"name": "Remote Device Management Services",
"description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ",
"kill_chain_phases": [
@@ -11752,7 +11943,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -11877,6 +12068,62 @@
"Post-Adversary Device Access"
]
},
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "created": "2025-05-19T18:24:54.985Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1676",
+ "external_id": "T1676"
+ },
+ {
+ "source_name": "Signal_LinkedDevices_NoDate",
+ "description": "Signal. (n.d.). Linked Devices. Retrieved May 9, 2025.",
+ "url": "https://support.signal.org/hc/en-us/articles/360007320551-Linked-Devices"
+ },
+ {
+ "source_name": "WhatsApp_LinkDevice_NoDate",
+ "description": "WhatsApp. (n.d.). How to link a device. Retrieved May 9, 2025.",
+ "url": "https://faq.whatsapp.com/1317564962315842/?helpref=faq_content&cms_platform=web"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-05-19T20:03:02.656Z",
+ "name": "Linked Devices",
+ "description": "Adversaries may abuse the \u201clinked devices\u201d feature on messaging applications, such as Signal and WhatsApp, to register the user\u2019s account to an adversary-controlled device. By abusing the \u201clinked devices\u201d feature, adversaries may achieve and maintain persistence through the user\u2019s account, may collect information, such as the user\u2019s messages and contacts list, and may send future messages from the linked device.\n\nSignal is a messaging application that uses the open-source Signal Protocol to encrypt messages and calls; similarly, WhatsApp is a messaging application that has end-to-end encryption and other security measures to protect messages and calls. Both applications have a \u201clinked devices\u201d feature that allows users to access their Signal and/or WhatsApp accounts from different devices, such as a Windows or Mac desktop, an iPad or an Android tablet.(Citation: WhatsApp_LinkDevice_NoDate)(Citation: Signal_LinkedDevices_NoDate)\n\nAdversaries may use [Phishing](https://attack.mitre.org/techniques/T1660) techniques to trick the user into scanning a quick-response (QR) code, which is used to link the user\u2019s Signal and/or WhatsApp account to an adversary-controlled device. For example, adversaries may masquerade QR codes as group invites, security alerts or as legitimate instructions for pairing linked devices. \nUpon scanning the QR code in Signal, users may click on the \u201cTransfer Message History\u201d option to sync the linked devices, which may allow adversaries to collect more information about the user. Upon scanning the QR code in WhatsApp, the user\u2019s device will automatically send an end-to-end encrypted copy of recent message history to the adversary-controlled device. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Giorgi Gurgenidze, GITAC"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.0"
+ },
{
"type": "attack-pattern",
"id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
@@ -11892,10 +12139,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:36.937Z",
+ "modified": "2025-10-24T17:49:10.732Z",
"name": "Stolen Developer Credentials or Signing Keys",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12042,7 +12290,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:52.964Z",
+ "modified": "2025-10-24T17:49:11.864Z",
"name": "Input Capture",
"description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).",
"kill_chain_phases": [
@@ -12057,7 +12305,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12093,7 +12341,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.113Z",
+ "modified": "2025-10-24T17:49:12.043Z",
"name": "Generate Traffic from Victim",
"description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS",
"kill_chain_phases": [
@@ -12104,7 +12352,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can review which applications can use premium SMS features in the \u201cSpecial access\u201d page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12155,7 +12403,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.262Z",
+ "modified": "2025-10-24T17:49:12.130Z",
"name": "Disguise Root/Jailbreak Indicators",
"description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)",
"kill_chain_phases": [
@@ -12166,7 +12414,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can use attestation to detect compromised devices.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12217,7 +12465,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:43.392Z",
+ "modified": "2025-10-24T17:49:12.301Z",
"name": "Masquerade as Legitimate Application",
"description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.",
"kill_chain_phases": [
@@ -12235,7 +12483,7 @@
"Alex Hinchliffe, Palo Alto Networks"
],
"x_mitre_deprecated": true,
- "x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12265,10 +12513,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:37.543Z",
+ "modified": "2025-10-24T17:49:12.390Z",
"name": "Malicious Media Content",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12297,7 +12546,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.420Z",
+ "modified": "2025-10-24T17:49:12.650Z",
"name": "Calendar Entries",
"description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -12308,7 +12557,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12341,7 +12590,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.593Z",
+ "modified": "2025-10-24T17:49:12.849Z",
"name": "File Deletion",
"description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
"kill_chain_phases": [
@@ -12352,7 +12601,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12407,7 +12656,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.782Z",
+ "modified": "2025-10-24T17:49:13.285Z",
"name": "Device Lockout",
"description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted \u201ccall\u201d notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device\u2019s passcode.(Citation: Android resetPassword)",
"kill_chain_phases": [
@@ -12418,7 +12667,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12458,7 +12707,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:53.936Z",
+ "modified": "2025-10-24T17:49:14.276Z",
"name": "Keylogging",
"description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n",
"kill_chain_phases": [
@@ -12473,7 +12722,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12524,7 +12773,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.090Z",
+ "modified": "2025-10-24T17:49:15.008Z",
"name": "SMS Control",
"description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)",
"kill_chain_phases": [
@@ -12535,7 +12784,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view the default SMS handler in system settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12632,7 +12881,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:43.920Z",
+ "modified": "2025-10-24T17:49:15.184Z",
"name": "Exfiltration Over Other Network Medium",
"description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ",
"kill_chain_phases": [
@@ -12643,7 +12892,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12673,10 +12922,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:38.229Z",
+ "modified": "2025-10-24T17:49:16.049Z",
"name": "Detect App Analysis Environment",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12700,7 +12950,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.246Z",
+ "modified": "2025-10-24T17:49:16.232Z",
"name": "Process Injection",
"description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.",
"kill_chain_phases": [
@@ -12715,7 +12965,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12745,10 +12995,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:38.477Z",
+ "modified": "2025-10-24T17:49:17.290Z",
"name": "Malicious Software Development Tools",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12772,7 +13023,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.401Z",
+ "modified": "2025-10-24T17:49:17.802Z",
"name": "Symmetric Cryptography",
"description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.",
"kill_chain_phases": [
@@ -12783,7 +13034,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12819,7 +13070,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:44.489Z",
+ "modified": "2025-10-24T17:49:18.426Z",
"name": "Broadcast Receivers",
"description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)",
"kill_chain_phases": [
@@ -12834,7 +13085,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12958,7 +13209,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.553Z",
+ "modified": "2025-10-24T17:49:19.406Z",
"name": "Compromise Hardware Supply Chain",
"description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ",
"kill_chain_phases": [
@@ -12969,7 +13220,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -12985,33 +13236,6 @@
]
},
{
- "modified": "2024-09-12T15:17:00.569Z",
- "name": "Clipboard Data",
- "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device\u2019s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read \u201capplication_name has pasted from Messages\u201d when the text was pasted in a different application.(Citation: UIPPasteboard)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "collection"
- },
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "credential-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could detect usage of standard clipboard APIs.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "3.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"created": "2017-10-25T14:48:19.996Z",
@@ -13052,8 +13276,35 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:21.369Z",
+ "name": "Clipboard Data",
+ "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device\u2019s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read \u201capplication_name has pasted from Messages\u201d when the text was pasted in a different application.(Citation: UIPPasteboard)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "collection"
+ },
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "credential-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "3.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -13086,7 +13337,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:44.671Z",
+ "modified": "2025-10-24T17:49:21.464Z",
"name": "Modify System Partition",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.",
"kill_chain_phases": [
@@ -13105,7 +13356,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13136,7 +13387,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.742Z",
+ "modified": "2025-10-24T17:49:21.564Z",
"name": "Data Manipulation",
"description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.",
"kill_chain_phases": [
@@ -13147,7 +13398,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13182,7 +13433,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:54.890Z",
+ "modified": "2025-10-24T17:49:22.003Z",
"name": "SMS Messages",
"description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -13193,7 +13444,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13221,7 +13472,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.035Z",
+ "modified": "2025-10-24T17:49:22.184Z",
"name": "Web Service",
"description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ",
"kill_chain_phases": [
@@ -13232,7 +13483,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13268,7 +13519,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.191Z",
+ "modified": "2025-10-24T17:49:22.267Z",
"name": "System Runtime API Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.",
"kill_chain_phases": [
@@ -13279,7 +13530,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13308,10 +13559,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:39.572Z",
+ "modified": "2025-10-24T17:49:22.801Z",
"name": "Exploit Baseband Vulnerability",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13340,7 +13592,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.358Z",
+ "modified": "2025-10-24T17:49:23.749Z",
"name": "Credentials from Password Store",
"description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
"kill_chain_phases": [
@@ -13351,7 +13603,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13380,7 +13632,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:39.824Z",
+ "modified": "2025-10-24T17:49:24.183Z",
"name": "Hooking",
"description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.",
"kill_chain_phases": [
@@ -13394,7 +13646,7 @@
"J\u00f6rg Abraham, EclecticIQ"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13439,7 +13691,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.045Z",
+ "modified": "2025-10-24T17:49:24.367Z",
"name": "Install Insecure or Malicious Configuration",
"description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).",
"kill_chain_phases": [
@@ -13454,7 +13706,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13490,7 +13742,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.729Z",
+ "modified": "2025-10-24T17:49:24.899Z",
"name": "File and Directory Discovery",
"description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ",
"kill_chain_phases": [
@@ -13501,7 +13753,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users are presented with a permissions popup when an application requests access to external device storage.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13542,7 +13794,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:55.894Z",
+ "modified": "2025-10-24T17:49:25.462Z",
"name": "Obfuscated Files or Information",
"description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ",
"kill_chain_phases": [
@@ -13553,7 +13805,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13599,7 +13851,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.042Z",
+ "modified": "2025-10-24T17:49:25.635Z",
"name": "Input Injection",
"description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)",
"kill_chain_phases": [
@@ -13617,7 +13869,7 @@
"Luk\u00e1\u0161 \u0160tefanko, ESET"
],
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13692,7 +13944,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.195Z",
+ "modified": "2025-05-19T15:21:04.030Z",
"name": "Network Denial of Service",
"description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer\u2019s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)",
"kill_chain_phases": [
@@ -13703,7 +13955,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13713,7 +13965,7 @@
"Android",
"iOS"
],
- "x_mitre_version": "1.3",
+ "x_mitre_version": "1.4",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
@@ -13743,7 +13995,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:40.355Z",
+ "modified": "2025-10-24T17:49:26.629Z",
"name": "Compromise Application Executable",
"description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)",
"kill_chain_phases": [
@@ -13754,7 +14006,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13784,7 +14036,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.521Z",
+ "modified": "2025-10-24T17:49:26.888Z",
"name": "Event Triggered Execution",
"description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim\u2019s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ",
"kill_chain_phases": [
@@ -13795,7 +14047,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13810,29 +14062,6 @@
]
},
{
- "modified": "2024-02-20T23:35:22.949Z",
- "name": "System Network Configuration Discovery",
- "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "2.4",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"created": "2017-10-25T14:48:32.740Z",
@@ -13858,8 +14087,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:26.973Z",
+ "name": "System Network Configuration Discovery",
+ "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "discovery"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "2.4",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -13934,7 +14186,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.716Z",
+ "modified": "2025-10-24T17:49:28.248Z",
"name": "Video Capture",
"description": "An adversary can leverage a device\u2019s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device\u2019s cameras for video recording rather than capturing the victim\u2019s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. ",
"kill_chain_phases": [
@@ -13945,7 +14197,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -13976,7 +14228,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:56.869Z",
+ "modified": "2025-10-24T17:49:28.337Z",
"name": "One-Way Communication",
"description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
"kill_chain_phases": [
@@ -13987,7 +14239,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14078,7 +14330,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.413Z",
+ "modified": "2025-10-24T17:49:28.427Z",
"name": "Deliver Malicious App via Authorized App Store",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)",
"kill_chain_phases": [
@@ -14089,7 +14341,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14125,7 +14377,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.034Z",
+ "modified": "2025-10-24T17:49:28.514Z",
"name": "Data Encrypted for Impact",
"description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.",
"kill_chain_phases": [
@@ -14136,7 +14388,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14151,31 +14403,6 @@
]
},
{
- "modified": "2023-09-28T15:38:41.106Z",
- "name": "Prevent Application Removal",
- "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "x_mitre_contributors": [
- "Shankar Raman, Gen Digital and Abhinand, Amrita University"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Users can view a list of device administrators and applications that have registered accessibility services in device settings. Users can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
"created": "2022-04-01T18:44:32.808Z",
@@ -14196,8 +14423,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:28.687Z",
+ "name": "Prevent Application Removal",
+ "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_contributors": [
+ "Shankar Raman, Gen Digital and Abhinand, Amrita University"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -14215,7 +14467,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.189Z",
+ "modified": "2025-10-24T17:49:29.321Z",
"name": "System Network Connections Discovery",
"description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.",
"kill_chain_phases": [
@@ -14226,7 +14478,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14241,37 +14493,6 @@
]
},
{
- "modified": "2023-09-29T19:45:39.608Z",
- "name": "Phishing",
- "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing\u201d. Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \u201cvishing\u201d) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_contributors": [
- "Vijay Lalwani",
- "Will Thomas, Equinix",
- "Adam Mashinchi",
- "Sam Seabrook, Duke Energy",
- "Naveen Devaraja, bolttech",
- "Brian Donohue"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
"created": "2023-09-21T19:35:15.552Z",
@@ -14292,8 +14513,40 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-08-20T14:33:34.968Z",
+ "name": "Phishing",
+ "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing.\u201d Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \u201cvishing\u201d) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "initial-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_contributors": [
+ "Vijay Lalwani",
+ "Will Thomas, Equinix",
+ "Adam Mashinchi",
+ "Sam Seabrook, Duke Energy",
+ "Naveen Devaraja, bolttech",
+ "Brian Donohue",
+ "Lookout"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"modified": "2024-04-16T20:24:13.854Z",
@@ -14343,29 +14596,6 @@
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
- "modified": "2023-10-16T16:23:05.146Z",
- "name": "Lockscreen Bypass",
- "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "Users can see if someone is watching them type in their device passcode.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_version": "1.3",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"created": "2017-10-25T14:48:24.488Z",
@@ -14401,8 +14631,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:29.764Z",
+ "name": "Lockscreen Bypass",
+ "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "initial-access"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_version": "1.3",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -14420,7 +14673,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.593Z",
+ "modified": "2025-10-24T17:49:30.335Z",
"name": "Command-Line Interface",
"description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java\u2019s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.",
"kill_chain_phases": [
@@ -14431,7 +14684,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14467,7 +14720,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.342Z",
+ "modified": "2025-10-24T17:49:30.430Z",
"name": "Contact List",
"description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user\u2019s knowledge or approval. ",
"kill_chain_phases": [
@@ -14478,15 +14731,15 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
- "iOS",
- "Android"
+ "Android",
+ "iOS"
],
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
@@ -14514,7 +14767,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.505Z",
+ "modified": "2025-10-24T17:49:30.706Z",
"name": "Data from Local System",
"description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ",
"kill_chain_phases": [
@@ -14525,7 +14778,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14556,7 +14809,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.695Z",
+ "modified": "2025-10-24T17:49:31.052Z",
"name": "Account Access Removal",
"description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ",
"kill_chain_phases": [
@@ -14567,7 +14820,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14607,7 +14860,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.841Z",
+ "modified": "2025-10-24T17:49:31.141Z",
"name": "System Information Discovery",
"description": "Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ",
"kill_chain_phases": [
@@ -14618,7 +14871,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14648,10 +14901,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:41.779Z",
+ "modified": "2025-10-24T17:49:31.232Z",
"name": "Fake Developer Accounts",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14705,7 +14959,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:45.935Z",
+ "modified": "2025-10-24T17:49:31.403Z",
"name": "Clipboard Modification",
"description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
"kill_chain_phases": [
@@ -14716,7 +14970,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14746,7 +15000,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:57.990Z",
+ "modified": "2025-10-24T17:49:31.761Z",
"name": "Archive Collected Data",
"description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm. ",
"kill_chain_phases": [
@@ -14757,7 +15011,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14793,7 +15047,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.143Z",
+ "modified": "2025-10-24T17:49:31.935Z",
"name": "Geofencing",
"description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fis accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fon Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection. \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call\u202f`requestWhenInUseAuthorization()`\u202for\u202f`requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground. \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fcan be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.",
"kill_chain_phases": [
@@ -14804,7 +15058,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14876,7 +15130,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:46.301Z",
+ "modified": "2025-10-24T17:49:33.068Z",
"name": "Capture SMS Messages",
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.",
"kill_chain_phases": [
@@ -14891,7 +15145,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -14973,7 +15227,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.297Z",
+ "modified": "2025-10-24T17:49:33.803Z",
"name": "Endpoint Denial of Service",
"description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
"kill_chain_phases": [
@@ -14984,7 +15238,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15015,7 +15269,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.451Z",
+ "modified": "2025-10-24T17:49:34.162Z",
"name": "Out of Band Data",
"description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ",
"kill_chain_phases": [
@@ -15026,7 +15280,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15057,7 +15311,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.602Z",
+ "modified": "2025-10-24T17:49:34.332Z",
"name": "Encrypted Channel",
"description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
"kill_chain_phases": [
@@ -15068,7 +15322,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15154,31 +15408,6 @@
]
},
{
- "modified": "2024-09-12T19:47:06.884Z",
- "name": "Suppress Application Icon",
- "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications\u2019 ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application\u2019s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app\u2019s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application\u2019s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-mobile-attack",
- "phase_name": "defense-evasion"
- }
- ],
- "x_mitre_contributors": [
- "Emily Ratliff, IBM"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.",
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_is_subtechnique": true,
- "x_mitre_platforms": [
- "Android"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_tactic_type": [
- "Post-Adversary Device Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
"created": "2022-03-30T20:06:22.194Z",
@@ -15219,8 +15448,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T17:49:35.410Z",
+ "name": "Suppress Application Icon",
+ "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications\u2019 ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application\u2019s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app\u2019s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application\u2019s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-mobile-attack",
+ "phase_name": "defense-evasion"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_contributors": [
+ "Emily Ratliff, IBM"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_tactic_type": [
+ "Post-Adversary Device Access"
+ ]
},
{
"type": "attack-pattern",
@@ -15253,7 +15507,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:46.662Z",
+ "modified": "2025-10-24T17:49:35.592Z",
"name": "Modify Trusted Execution Environment",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
"kill_chain_phases": [
@@ -15268,7 +15522,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15297,10 +15551,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:42.990Z",
+ "modified": "2025-10-24T17:49:36.126Z",
"name": "Device Unlock Code Guessing or Brute Force",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15386,7 +15641,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.771Z",
+ "modified": "2025-10-24T17:49:38.098Z",
"name": "Masquerading",
"description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n",
"kill_chain_phases": [
@@ -15397,7 +15652,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "\n",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15469,10 +15724,11 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-25T15:16:43.339Z",
+ "modified": "2025-10-24T17:49:38.547Z",
"name": "Malicious or Vulnerable Built-in Device Functionality",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15496,7 +15752,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:58.917Z",
+ "modified": "2025-10-24T17:49:38.813Z",
"name": "Steganography",
"description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.",
"kill_chain_phases": [
@@ -15507,7 +15763,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15572,7 +15828,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:47.575Z",
+ "modified": "2025-10-24T17:49:38.896Z",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).",
"kill_chain_phases": [
@@ -15583,7 +15839,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15614,7 +15870,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.084Z",
+ "modified": "2025-10-24T17:49:39.161Z",
"name": "Hide Artifacts",
"description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application\u2019s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.",
"kill_chain_phases": [
@@ -15625,7 +15881,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15660,7 +15916,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.231Z",
+ "modified": "2025-10-24T17:49:39.422Z",
"name": "Code Signing Policy Modification",
"description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.",
"kill_chain_phases": [
@@ -15671,7 +15927,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15712,7 +15968,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.384Z",
+ "modified": "2025-10-24T17:49:39.530Z",
"name": "Domain Generation Algorithms",
"description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.",
"kill_chain_phases": [
@@ -15723,7 +15979,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15764,7 +16020,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:21:59.531Z",
+ "modified": "2025-10-24T17:49:39.614Z",
"name": "Drive-By Compromise",
"description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.",
"kill_chain_phases": [
@@ -15775,7 +16031,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15821,7 +16077,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T18:00:47.756Z",
+ "modified": "2025-10-24T17:49:39.785Z",
"name": "Suppress Application Icon",
"description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)",
"kill_chain_phases": [
@@ -15832,7 +16088,7 @@
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
- "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.",
+ "x_mitre_detection": "",
"x_mitre_domains": [
"mobile-attack"
],
@@ -15846,6 +16102,14003 @@
"Post-Adversary Device Access"
]
},
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1789",
+ "external_id": "AN1789"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1789",
+ "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1740",
+ "external_id": "AN1740"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1740",
+ "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1649",
+ "external_id": "AN1649"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1649",
+ "description": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0619#AN1679",
+ "external_id": "AN1679"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1679",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1725",
+ "external_id": "AN1725"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1725",
+ "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0684#AN1792",
+ "external_id": "AN1792"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1792",
+ "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nEnterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1829",
+ "external_id": "AN1829"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1829",
+ "description": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1747",
+ "external_id": "AN1747"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1747",
+ "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0652#AN1736",
+ "external_id": "AN1736"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1736",
+ "description": "Application vetting services may detect when an application requests permissions after an application update.\nApplication vetting services may look for indications that the application\u2019s update includes malicious code at runtime. \nApplication vetting services may be able to list domains and/or IP addresses that applications communicate with.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0694#AN1807",
+ "external_id": "AN1807"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1807",
+ "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0710#AN1836",
+ "external_id": "AN1836"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1836",
+ "description": "Mobile security products can use attestation to detect compromised devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0647#AN1727",
+ "external_id": "AN1727"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1727",
+ "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0708#AN1832",
+ "external_id": "AN1832"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1832",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1759",
+ "external_id": "AN1759"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1759",
+ "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.\nApplication vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0701#AN1819",
+ "external_id": "AN1819"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1819",
+ "description": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0698#AN1814",
+ "external_id": "AN1814"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1814",
+ "description": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0609#AN1662",
+ "external_id": "AN1662"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1662",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0632#AN1704",
+ "external_id": "AN1704"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1704",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0690#AN1801",
+ "external_id": "AN1801"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1801",
+ "description": "Application vetting services could look for use of the accessibility service or features that typically require root access.\nThe user can see a list of applications that can use accessibility services in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0633#AN1705",
+ "external_id": "AN1705"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1705",
+ "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.\nMobile security products can potentially detect jailbroken devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1768",
+ "external_id": "AN1768"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1768",
+ "description": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1714",
+ "external_id": "AN1714"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1714",
+ "description": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1816",
+ "external_id": "AN1816"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1816",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block bidirectional command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1762",
+ "external_id": "AN1762"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1762",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0598#AN1644",
+ "external_id": "AN1644"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1644",
+ "description": "Application vetting services may detect API calls to `performGlobalAction(int)`. \nThe user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1738",
+ "external_id": "AN1738"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1738",
+ "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. \nApplication vetting services can detect unnecessary and potentially abused API calls.\nApplication vetting services can detect unnecessary and potentially abused permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1778",
+ "external_id": "AN1778"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1778",
+ "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0637#AN1711",
+ "external_id": "AN1711"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1711",
+ "description": "The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.\nApplications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1720",
+ "external_id": "AN1720"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1720",
+ "description": "Application vetting services could detect usage of standard clipboard APIs.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1729",
+ "external_id": "AN1729"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1729",
+ "description": "Application vetting services can detect unnecessary and potentially abused location permissions.\nOn Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.\nApplication vetting services can detect unnecessary and potentially abused API calls.\nThe user can review which applications have location permissions in the operating system\u2019s settings menu.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0642#AN1718",
+ "external_id": "AN1718"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1718",
+ "description": "Application vetting services can detect when an application requests administrator permission.\nWhen an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1737",
+ "external_id": "AN1737"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1737",
+ "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. \nApplication vetting services can detect unnecessary and potentially abused API calls.\nApplication vetting services can detect unnecessary and potentially abused permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0666#AN1760",
+ "external_id": "AN1760"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1760",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0660#AN1750",
+ "external_id": "AN1750"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1750",
+ "description": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1717",
+ "external_id": "AN1717"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1717",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0623#AN1688",
+ "external_id": "AN1688"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1688",
+ "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \nApplication vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. \nOn both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1788",
+ "external_id": "AN1788"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1788",
+ "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1669",
+ "external_id": "AN1669"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1669",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0623#AN1687",
+ "external_id": "AN1687"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1687",
+ "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \nApplication vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. \nOn both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0674#AN1774",
+ "external_id": "AN1774"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1774",
+ "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. \nOn both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0688#AN1799",
+ "external_id": "AN1799"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1799",
+ "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0652#AN1735",
+ "external_id": "AN1735"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1735",
+ "description": "Application vetting services may detect when an application requests permissions after an application update.\nApplication vetting services may look for indications that the application\u2019s update includes malicious code at runtime. \nApplication vetting services may be able to list domains and/or IP addresses that applications communicate with.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1820",
+ "external_id": "AN1820"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1820",
+ "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0615#AN1672",
+ "external_id": "AN1672"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1672",
+ "description": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0686#AN1795",
+ "external_id": "AN1795"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1795",
+ "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0668#AN1764",
+ "external_id": "AN1764"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1764",
+ "description": "Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.\nThe user can view a list of apps with accessibility service privileges in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0716#AN1845",
+ "external_id": "AN1845"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1845",
+ "description": "The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1808",
+ "external_id": "AN1808"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1808",
+ "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.\nDuring the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0671#AN1769",
+ "external_id": "AN1769"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1769",
+ "description": "The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. \nCommand-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. \nThe user is prompted for approval when an application requests device administrator permissions.\nApplication vetting services may detect API calls for deleting files. \nMobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1773",
+ "external_id": "AN1773"
+ },
+ {
+ "source_name": "Android Privacy Indicators",
+ "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
+ "url": "https://source.android.com/devices/tech/config/privacy-indicators"
+ },
+ {
+ "source_name": "iOS Mic Spyware",
+ "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
+ "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1773",
+ "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0611#AN1665",
+ "external_id": "AN1665"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1665",
+ "description": "The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). \nApplication vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0708#AN1831",
+ "external_id": "AN1831"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1831",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1734",
+ "external_id": "AN1734"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1734",
+ "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.\nThe user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0627#AN1696",
+ "external_id": "AN1696"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1696",
+ "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. \nApplication vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1719",
+ "external_id": "AN1719"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1719",
+ "description": "Application vetting services could detect usage of standard clipboard APIs.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1763",
+ "external_id": "AN1763"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1763",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0669#AN1766",
+ "external_id": "AN1766"
+ },
+ {
+ "source_name": "unit42_strat_aged_domain_det",
+ "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
+ "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
+ },
+ {
+ "source_name": "Data Driven Security DGA",
+ "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+ "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1766",
+ "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1748",
+ "external_id": "AN1748"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1748",
+ "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0624#AN1689",
+ "external_id": "AN1689"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1689",
+ "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0717#AN1847",
+ "external_id": "AN1847"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1847",
+ "description": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0616#AN1673",
+ "external_id": "AN1673"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1673",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0622#AN1685",
+ "external_id": "AN1685"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1685",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1733",
+ "external_id": "AN1733"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1733",
+ "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.\nThe user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1723",
+ "external_id": "AN1723"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1723",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1654",
+ "external_id": "AN1654"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1654",
+ "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1648",
+ "external_id": "AN1648"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1648",
+ "description": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0608#AN1659",
+ "external_id": "AN1659"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1659",
+ "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. \nApplication vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1804",
+ "external_id": "AN1804"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1804",
+ "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1805",
+ "external_id": "AN1805"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1805",
+ "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1693",
+ "external_id": "AN1693"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1693",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0632#AN1703",
+ "external_id": "AN1703"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1703",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1658",
+ "external_id": "AN1658"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1658",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0625#AN1691",
+ "external_id": "AN1691"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1691",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0630#AN1701",
+ "external_id": "AN1701"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1701",
+ "description": "The user is prompted for approval when an application requests device administrator permissions.\nApplication vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.\nThe user can see which applications are registered as device administrators in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0683#AN1790",
+ "external_id": "AN1790"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1790",
+ "description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0615#AN1671",
+ "external_id": "AN1671"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1671",
+ "description": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0635#AN1708",
+ "external_id": "AN1708"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1708",
+ "description": "Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.\nApplication vetting services may look for `MANAGE_ACCOUNTS` in an Android application\u2019s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1732",
+ "external_id": "AN1732"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1732",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1756",
+ "external_id": "AN1756"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1756",
+ "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \nApplication vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1821",
+ "external_id": "AN1821"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1821",
+ "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0679#AN1783",
+ "external_id": "AN1783"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1783",
+ "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.\nOn both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1851",
+ "external_id": "AN1851"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1851",
+ "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1826",
+ "external_id": "AN1826"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1826",
+ "description": "The user can view and manage installed third-party keyboards.\nApplication vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0629#AN1700",
+ "external_id": "AN1700"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1700",
+ "description": "Network traffic analysis may reveal processes communicating with malicious domains. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0659#AN1749",
+ "external_id": "AN1749"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1749",
+ "description": "No standard detection method currently exists for this technique.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0681#AN1787",
+ "external_id": "AN1787"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1787",
+ "description": "The user can view permissions granted to an application in device settings. \nApplication vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0613#AN1667",
+ "external_id": "AN1667"
+ },
+ {
+ "source_name": "unit42_strat_aged_domain_det",
+ "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
+ "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
+ },
+ {
+ "source_name": "Data Driven Security DGA",
+ "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+ "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1667",
+ "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1852",
+ "external_id": "AN1852"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1852",
+ "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0716#AN1846",
+ "external_id": "AN1846"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1846",
+ "description": "The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1721",
+ "external_id": "AN1721"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1721",
+ "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0649#AN1730",
+ "external_id": "AN1730"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1730",
+ "description": "This behavior is seamless to the user and is typically undetectable.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0693#AN1806",
+ "external_id": "AN1806"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1806",
+ "description": "The user can view a list of active device administrators in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0622#AN1686",
+ "external_id": "AN1686"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1686",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1742",
+ "external_id": "AN1742"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1742",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0666#AN1761",
+ "external_id": "AN1761"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1761",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1824",
+ "external_id": "AN1824"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1824",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1677",
+ "external_id": "AN1677"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1677",
+ "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. \nMobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nApplication vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1828",
+ "external_id": "AN1828"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1828",
+ "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.\nApplication vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0697#AN1812",
+ "external_id": "AN1812"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1812",
+ "description": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.\nThe user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service should be scrutinized further for malicious behavior. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1683",
+ "external_id": "AN1683"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1683",
+ "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1752",
+ "external_id": "AN1752"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1752",
+ "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.\nOn Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1779",
+ "external_id": "AN1779"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1779",
+ "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1724",
+ "external_id": "AN1724"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1724",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1776",
+ "external_id": "AN1776"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1776",
+ "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. \nAndroid applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1675",
+ "external_id": "AN1675"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1675",
+ "description": "Many properly configured firewalls may naturally block command and control traffic.\nApplication vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1848",
+ "external_id": "AN1848"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1848",
+ "description": "Application vetting services could look for connections to unknown domains or IP addresses. \nApplication vetting services may indicate precisely what content was requested during application execution.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1784",
+ "external_id": "AN1784"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1784",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0699#AN1815",
+ "external_id": "AN1815"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1815",
+ "description": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0656#AN1744",
+ "external_id": "AN1744"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1744",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1751",
+ "external_id": "AN1751"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1751",
+ "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.\nOn Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0619#AN1680",
+ "external_id": "AN1680"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1680",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0609#AN1661",
+ "external_id": "AN1661"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1661",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0689#AN1800",
+ "external_id": "AN1800"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1800",
+ "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0656#AN1743",
+ "external_id": "AN1743"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1743",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1794",
+ "external_id": "AN1794"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1794",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1726",
+ "external_id": "AN1726"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1726",
+ "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0714#AN1842",
+ "external_id": "AN1842"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1842",
+ "description": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine.\nApplication vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0640#AN1715",
+ "external_id": "AN1715"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1715",
+ "description": "Application vetting services could potentially detect the usage of APIs intended for artifact hiding.\nThe user can examine the list of all installed applications in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1840",
+ "external_id": "AN1840"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1840",
+ "description": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0712#AN1839",
+ "external_id": "AN1839"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1839",
+ "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.\nVerified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0636#AN1710",
+ "external_id": "AN1710"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1710",
+ "description": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0681#AN1786",
+ "external_id": "AN1786"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1786",
+ "description": "The user can view permissions granted to an application in device settings. \nApplication vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1646",
+ "external_id": "AN1646"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1646",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0629#AN1699",
+ "external_id": "AN1699"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1699",
+ "description": "Network traffic analysis may reveal processes communicating with malicious domains. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1698",
+ "external_id": "AN1698"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1698",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1825",
+ "external_id": "AN1825"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1825",
+ "description": "The user can view and manage installed third-party keyboards.\nApplication vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1728",
+ "external_id": "AN1728"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1728",
+ "description": "Application vetting services can detect unnecessary and potentially abused location permissions.\nOn Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.\nApplication vetting services can detect unnecessary and potentially abused API calls.\nThe user can review which applications have location permissions in the operating system\u2019s settings menu.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1754",
+ "external_id": "AN1754"
+ },
+ {
+ "source_name": "CSRIC5-WG10-FinalReport",
+ "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
+ "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1754",
+ "description": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1785",
+ "external_id": "AN1785"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1785",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0602#AN1651",
+ "external_id": "AN1651"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1651",
+ "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1653",
+ "external_id": "AN1653"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1653",
+ "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0602#AN1650",
+ "external_id": "AN1650"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1650",
+ "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0696#AN1811",
+ "external_id": "AN1811"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1811",
+ "description": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0669#AN1765",
+ "external_id": "AN1765"
+ },
+ {
+ "source_name": "unit42_strat_aged_domain_det",
+ "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
+ "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
+ },
+ {
+ "source_name": "Data Driven Security DGA",
+ "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+ "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1765",
+ "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1771",
+ "external_id": "AN1771"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1771",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1682",
+ "external_id": "AN1682"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1682",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0624#AN1690",
+ "external_id": "AN1690"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1690",
+ "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0709#AN1833",
+ "external_id": "AN1833"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1833",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1741",
+ "external_id": "AN1741"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1741",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0603#AN1652",
+ "external_id": "AN1652"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1652",
+ "description": "The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0599#AN1645",
+ "external_id": "AN1645"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1645",
+ "description": "The user can view the default SMS handler in system settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1802",
+ "external_id": "AN1802"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1802",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1803",
+ "external_id": "AN1803"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1803",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1770",
+ "external_id": "AN1770"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1770",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0674#AN1775",
+ "external_id": "AN1775"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1775",
+ "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. \nOn both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1676",
+ "external_id": "AN1676"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1676",
+ "description": "Many properly configured firewalls may naturally block command and control traffic.\nApplication vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0686#AN1796",
+ "external_id": "AN1796"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1796",
+ "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1753",
+ "external_id": "AN1753"
+ },
+ {
+ "source_name": "CSRIC5-WG10-FinalReport",
+ "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
+ "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1753",
+ "description": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0664#AN1757",
+ "external_id": "AN1757"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1757",
+ "description": "Mobile security products can potentially detect jailbroken devices.\nApplication vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0710#AN1835",
+ "external_id": "AN1835"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1835",
+ "description": "Mobile security products can use attestation to detect compromised devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0715#AN1843",
+ "external_id": "AN1843"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1843",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1678",
+ "external_id": "AN1678"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1678",
+ "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. \nMobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nApplication vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1827",
+ "external_id": "AN1827"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1827",
+ "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.\nApplication vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1684",
+ "external_id": "AN1684"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1684",
+ "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1841",
+ "external_id": "AN1841"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1841",
+ "description": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1853",
+ "external_id": "AN1853"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1853",
+ "description": "Application vetting services can detect malicious code in applications.\nSystem partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0657#AN1745",
+ "external_id": "AN1745"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1745",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1767",
+ "external_id": "AN1767"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1767",
+ "description": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1713",
+ "external_id": "AN1713"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1713",
+ "description": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1647",
+ "external_id": "AN1647"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1647",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1817",
+ "external_id": "AN1817"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1817",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block bidirectional command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1697",
+ "external_id": "AN1697"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1697",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0678#AN1781",
+ "external_id": "AN1781"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1781",
+ "description": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0613#AN1668",
+ "external_id": "AN1668"
+ },
+ {
+ "source_name": "unit42_strat_aged_domain_det",
+ "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
+ "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
+ },
+ {
+ "source_name": "Data Driven Security DGA",
+ "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+ "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1668",
+ "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1854",
+ "external_id": "AN1854"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1854",
+ "description": "Application vetting services can detect malicious code in applications.\nSystem partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0625#AN1692",
+ "external_id": "AN1692"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1692",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0634#AN1707",
+ "external_id": "AN1707"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1707",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0631#AN1702",
+ "external_id": "AN1702"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1702",
+ "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0635#AN1709",
+ "external_id": "AN1709"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1709",
+ "description": "Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.\nApplication vetting services may look for `MANAGE_ACCOUNTS` in an Android application\u2019s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1694",
+ "external_id": "AN1694"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1694",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0608#AN1660",
+ "external_id": "AN1660"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1660",
+ "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. \nApplication vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0684#AN1791",
+ "external_id": "AN1791"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T14:49:38.837Z",
+ "name": "Analytic 1791",
+ "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nEnterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0677#AN1780",
+ "external_id": "AN1780"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1780",
+ "description": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1793",
+ "external_id": "AN1793"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1793",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0703#AN1822",
+ "external_id": "AN1822"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1822",
+ "description": "The user can review available call logs for irregularities, such as missing or unrecognized calls.\nThe user can view their default phone app in device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1722",
+ "external_id": "AN1722"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1722",
+ "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1731",
+ "external_id": "AN1731"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1731",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1849",
+ "external_id": "AN1849"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1849",
+ "description": "Application vetting services could look for connections to unknown domains or IP addresses. \nApplication vetting services may indicate precisely what content was requested during application execution.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0606#AN1656",
+ "external_id": "AN1656"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1656",
+ "description": "The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. \nApplication vetting services can look for applications that request permissions to Accessibility services or application overlay. \nMonitor for API calls that are related to GooglePlayServices. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1772",
+ "external_id": "AN1772"
+ },
+ {
+ "source_name": "Android Privacy Indicators",
+ "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
+ "url": "https://source.android.com/devices/tech/config/privacy-indicators"
+ },
+ {
+ "source_name": "iOS Mic Spyware",
+ "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
+ "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1772",
+ "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0719#AN1850",
+ "external_id": "AN1850"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1850",
+ "description": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0605#AN1655",
+ "external_id": "AN1655"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1655",
+ "description": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0616#AN1674",
+ "external_id": "AN1674"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1674",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0612#AN1666",
+ "external_id": "AN1666"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1666",
+ "description": "The user can view applications that have registered accessibility services in the accessibility menu within the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1663",
+ "external_id": "AN1663"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1663",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block one-way command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1670",
+ "external_id": "AN1670"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1670",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1664",
+ "external_id": "AN1664"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1664",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block one-way command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0679#AN1782",
+ "external_id": "AN1782"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1782",
+ "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.\nOn both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0687#AN1797",
+ "external_id": "AN1797"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1797",
+ "description": "Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)\nMobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0627#AN1695",
+ "external_id": "AN1695"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1695",
+ "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. \nApplication vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1809",
+ "external_id": "AN1809"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1809",
+ "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.\nDuring the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1739",
+ "external_id": "AN1739"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1739",
+ "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0709#AN1834",
+ "external_id": "AN1834"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1834",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0701#AN1818",
+ "external_id": "AN1818"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1818",
+ "description": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1755",
+ "external_id": "AN1755"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1755",
+ "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \nApplication vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1830",
+ "external_id": "AN1830"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1830",
+ "description": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1681",
+ "external_id": "AN1681"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1681",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0688#AN1798",
+ "external_id": "AN1798"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1798",
+ "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1657",
+ "external_id": "AN1657"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1657",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1716",
+ "external_id": "AN1716"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1716",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1777",
+ "external_id": "AN1777"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1777",
+ "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. \nAndroid applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0657#AN1746",
+ "external_id": "AN1746"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1746",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0696#AN1810",
+ "external_id": "AN1810"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1810",
+ "description": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0698#AN1813",
+ "external_id": "AN1813"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1813",
+ "description": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0634#AN1706",
+ "external_id": "AN1706"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1706",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1758",
+ "external_id": "AN1758"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1758",
+ "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.\nApplication vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0638#AN1712",
+ "external_id": "AN1712"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1712",
+ "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.\nThe user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0711#AN1837",
+ "external_id": "AN1837"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1837",
+ "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0712#AN1838",
+ "external_id": "AN1838"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1838",
+ "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.\nVerified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0715#AN1844",
+ "external_id": "AN1844"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1844",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1823",
+ "external_id": "AN1823"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1823",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "created": "2021-10-20T15:05:19.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0082",
+ "external_id": "DC0082"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:34.190Z",
+ "name": "Network Connection Creation",
+ "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound connection to 169.254.169.254 from EC2 workload"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=3"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "connection attempts"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "System service interactions"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=3, 22"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "web domain alerts"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=22"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "netconnect"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events/socket_events"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Outbound Connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "connection open"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "New outbound connection from Safari/Chrome/Firefox/Word"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "open or connect"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execution of trusted tools interacting with external endpoints"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "EventCode=22"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational",
+ "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "proxy or TLS inspection logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network connection events"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "protocol egress"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connection to *.tunnels.api.visualstudio.com or *.devtunnels.ms"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connections to *.devtunnels.ms or tunnels.api.visualstudio.com"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTPs connection to tunnels.api.visualstudio.com"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=5156"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=5156,5157"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "family=AF_PACKET or protocol raw; process name not in allowlist."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "First outbound connection from the same PID/user shortly after an inbound trigger."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection: TCP connections to ports 139/445 to multiple hosts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection: SMB connections to multiple internal hosts"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect/sendto"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT"
+ },
+ {
+ "name": "snmp:access",
+ "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Service initiated connections"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "High outbound traffic from new region resource"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound HTTP/S initiated by newly installed interpreter process"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "outbound connections to RMM services or to unusual destination ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network sessions initiated by remote desktop apps"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound connections to port 22, 3389"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect with TLS context by unexpected process"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port."
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change"
+ },
+ {
+ "name": "cni:netflow",
+ "channel": "outbound connection to internal or external APIs"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd or network_events"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Dynamic route changes"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New egress to Internet by the same UID/host shortly after terminal exec"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection: Inbound connections to SSH or VPN ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Inbound connections to VNC/SSH ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "External access to container ports (2375, 6443)"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "network"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events + launchd"
+ },
+ {
+ "name": "esxi:esxupdate",
+ "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "socket connect"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "remote access"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound Connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Traffic observed on mirror destination instance"
+ },
+ {
+ "name": "networkdevice:Flow",
+ "channel": "Traffic from mirrored interface to mirror target IP"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "EventCode=3"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events, socket_events"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection attempts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "sendto/connect"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "outbound connections from host during or immediately after image build"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Outbound Traffic"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Service-Based Network Connection"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "postfix/smtpd"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "new outbound connection from browser/office lineage"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "new outbound connection from exploited lineage"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "outbound connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "None"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "networkd or socket"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/bind: Process binds to a new local port shortly after knock"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Closed-port hits followed by success from same src_ip"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig",
+ "channel": "8001, 8002, 8003"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "New Wi-Fi connection established or repeated association failures"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Association and authentication events including failures and new SSIDs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network session initiation with external HTTPS services"
+ },
+ {
+ "name": "WinEventLog:System",
+ "channel": "EventCode=8001"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "None"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "openat,connect -k discovery"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected inbound/outbound TFTP traffic for device image files"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "created": "2021-10-20T15:05:19.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0085",
+ "external_id": "DC0085"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:34.343Z",
+ "name": "Network Traffic Content",
+ "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "Process within container accesses link-local address 169.254.169.254"
+ },
+ {
+ "name": "WebProxy:AccessLogs",
+ "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mqtt.log / xmpp.log (custom log feeds)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mqtt.log or AMQP custom log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mqtt.log, xmpp.log, amqp.log"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "ACL/Firewall rule modification or new route injection"
+ },
+ {
+ "name": "m365:office",
+ "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP/UDP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP session tracking"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Captured packet payloads"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "session behavior"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "External C2 channel over TLS"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http/file-xfer: Inbound/outbound transfer of ELF shared objects"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, files.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "unexpected network activity initiated shortly after shell session starts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP/WebDAV requests that contain NTLMSSP or PROPFIND/MOVE/OPTIONS with Authorization: NTLM"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, ssl.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SPAN or port-mirrored HTTP/S"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, ssl.log, websocket.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process + network metrics correlation for bandwidth saturation"
+ },
+ {
+ "name": "docker:stats",
+ "channel": "unusual network TX/RX byte deltas"
+ },
+ {
+ "name": "etw:Microsoft-Windows-WinINet",
+ "channel": "HTTPS Inspection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Query to suspicious domain with high entropy or low reputation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "DNS query with pseudo-random subdomain patterns"
+ },
+ {
+ "name": "azure:vpcflow",
+ "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Browser connections to known C2 or dynamic DNS domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Session History Reset"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP "
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network flow"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "curl|wget|python .*http"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "curl|osascript.*open location"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes"
+ },
+ {
+ "name": "etw:Microsoft-Windows-NDIS-PacketCapture",
+ "channel": "TLS Handshake/Network Flow"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP/TLS Logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem: com.apple.network"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unexpected SQL or application log entries showing tampered or malformed data"
+ },
+ {
+ "name": "EDR:hunting",
+ "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "open URL|clicked link|LSQuarantineAttach"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious GET/POST; downloader patterns"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SSH logins or scp activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "remote login and transfer"
+ },
+ {
+ "name": "esxi:vob",
+ "channel": "NFS/remote access logs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Traffic between instances"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log"
+ },
+ {
+ "name": "WinEventLog:System",
+ "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP payloads with SQLi/LFI/JNDI/deserialization indicators"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "outbound egress from web host after suspicious request"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Requests towards cloud metadata or command & control from pod IPs"
+ },
+ {
+ "name": "ALB:HTTPLogs",
+ "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "NetFlow/sFlow for odd egress to Internet from mgmt plane"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "packet capture or DPI logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unusual Base64-encoded content in URI, headers, or POST body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Base64 strings or gzip in URI, headers, or POST body"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "HTTP POST with encoded content in user-agent or cookie field"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Outbound traffic using encoded payloads post-login"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound connections to monitored service ports from external or unusual internal sources; rapid follow-on lateral connections from the same host."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound to tcp/427 (OpenSLP), tcp/443 (vSphere APIs), tcp/902, tcp/5989 followed by new unexpected outbound sessions from the ESXi/vCenter host."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound to 22/5900/8080 and follow-on internal connections."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP body contains long Base64 sections"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: Base64/MIME looking payloads from ESXi host IP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "LDAP Bind/Search"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "LDAP Query"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream (subsystem: com.apple.system.networking)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "smtp.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "smtp.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "remote CLI session detection"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Encrypted connection with anomalous payload entropy"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "Socket sessions with randomized payloads inconsistent with TLS"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Symmetric encryption detected without TLS handshake sequence"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, ftp.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "PCAP inspection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large HTTPS POST requests to webhook endpoints"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "HTTPS POST connections to webhook endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed \u2264TimeWindow by outbound SF from same host to src_ip."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow."
+ },
+ {
+ "name": "networkdevice:config",
+ "channel": "NAT table modification (add/update/delete rule)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large upload to firmware interface port or path"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::response: HTTP responses with suspicious content-type for scripts, long obfuscated javascript bodies, or redirects to exploit kit domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "TLS handshake + HTTP headers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log + http.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network, socket, and http logs"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "TLS/HTTP inspection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture"
+ },
+ {
+ "name": "container:proxy",
+ "channel": "outbound/inbound network activity from spawned pods"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "listening sockets bound to non-standard ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Session Transfer Content"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Captured File Content"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "C2 exfiltration"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Transferred file observations"
+ },
+ {
+ "name": "apache:access_log",
+ "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Observed downgrade in negotiated cipher suites or TLS/SSH versions across sessions"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New egress from container IP/namespace to Internet or non-approved CIDRs/ASNs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot"
+ },
+ {
+ "name": "docker:events",
+ "channel": "remote API calls to /containers/create or /containers/{id}/start"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Integrity mismatch warnings or malformed packets detected"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::request: Outbound HTTP initiated by Python interpreter"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "Outbound requests with forged tokens/cookies in headers"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "DNS response IPs followed by connections to non-standard calculated ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "DNS responses followed by connections to ports outside standard ranges"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Persistent outbound traffic to mining domains"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Encrypted session initiation by unexpected binary"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Abnormal certificate chains or non-standard ports carrying TLS"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large HTTPS POST requests to text storage domains"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "HTTPS POST connections to pastebin-like domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TLS downgrade or inconsistent DNS answers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure"
+ },
+ {
+ "name": "networkconfig ",
+ "channel": "interface flag PROMISC, netstat | ip link | ethtool"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "eventMessage = 'promiscuous'"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "config change (e.g., logging buffered, pcap buffers)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound HTTPS connections to code repository APIs"
+ },
+ {
+ "name": "azure:activity",
+ "channel": "networkInsightsLogs"
+ },
+ {
+ "name": "gcp:audit",
+ "channel": "network.query*"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+ "channel": "Unusual external domain access"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log or http.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "dns: DNS labels with excessive length and restricted custom alphabets (e.g., base36 only) repeated frequently"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: suspicious long tokens with custom alphabets in body/headers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP bodies from ESXi host IPs containing long, non-standard tokens"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP(S) requests with User-Agents typical of PowerShell or curl from desktop; or URIs matching paste-inspired payload hosts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Egress to non-approved networks from host after terminal exec"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow/PCAP analysis for outbound payloads"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log + files.log + ssl.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "eventMessage = 'open', 'sendto', 'connect'"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTPS or custom protocol traffic with large payloads"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network stack module logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected script or binary content returned in HTTP response body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Injected content responses with unexpected script/malware signatures"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface"
+ },
+ {
+ "name": "saas:confluence",
+ "channel": "REST API access from non-browser agents"
+ },
+ {
+ "name": "Netfilter/iptables",
+ "channel": "Forwarded packets log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Relay patterns across IP hops"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Outbound encrypted traffic"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ldap.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dns-sd, mDNSResponder, socket activity"
+ },
+ {
+ "name": "networkdevice:IDS",
+ "channel": "content inspection / PCAP / HTTP body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Probe responses from unauthorized APs responding to client probe requests"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "setsockopt, ioctl modifying ARP entries"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Excessive gratuitous ARP replies on local subnet"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound HTTP POST with suspicious payload size or user-agent"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "POST requests to .php, .jsp, .aspx files with high entropy body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "dns.log"
+ },
+ {
+ "name": "NSM:FLow",
+ "channel": "dns.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Encrypted tunnels or proxy traffic to non-standard destinations"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Suspicious traffic filtered or redirected by VM networking stack"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large transfer from management IPs to unauthorized host"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ftp.log, smb_files.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ftp.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mirror/SPAN port"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ftp.log, conn.log, smb_files.log"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Multiple NXDOMAIN responses and high entropy domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SSL/TLS Inspection or PCAP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log, ssl.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process + network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http, dns, smb, ssl logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "dns, ssl, conn"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log, http.log, dns.log, ssl.log"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "icmp.log, weird.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "VMCI syslog entries"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "ICMP/UDP protocol anomaly"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "DHCP OFFER or ACK with unauthorized DNS/gateway parameters"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Multiple DHCP OFFER responses for a single DISCOVER"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SSL/TLS Handshake Analysis"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP Header Metadata"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Network Capture TLS/HTTP"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "SSL Certificate Metadata"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "HTTP Header Metadata"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "TLS Fingerprint and Certificate Analysis"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "container egress to unknown IPs/domains"
+ },
+ {
+ "name": "gcp:vpcflow",
+ "channel": "first 5m egress to unknown ASNs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP Request Logging"
+ },
+ {
+ "name": "WinEventLog:iis",
+ "channel": "IIS Logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem=com.apple.WebKit"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssh connections originating from third-party CIDRs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssh/smb connections to internal resources from third-party devices"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Degraded encryption throughput or switch to weaker cipher suites compared to historical baselines"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log (for TLS handshake analysis), dns.log (tunneling indicators)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "host switch egress data"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound HTTP/S"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log - Certificate Analysis"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log, x509.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)"
+ },
+ {
+ "name": "WIDS:AssociationLogs",
+ "channel": "Unauthorized AP or anomalous MAC address connection attempts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "encrypted outbound traffic carrying unexpected application data"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "listening sockets bound with non-standard encapsulated protocols"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Persistent outbound connections with consistent periodicity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "TLS connections with abnormal handshake sequence or self-signed cert"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "Socket inspection showing RSA key exchange outside baseline endpoints"
+ },
+ {
+ "name": "IDS:TLSInspection",
+ "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound TLS connections to cloud storage providers"
+ },
+ {
+ "name": "saas:box",
+ "channel": "API calls exceeding baseline thresholds"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound HTTPS connections to cloud storage APIs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer"
+ },
+ {
+ "name": "etw:Microsoft-Windows-WinINet",
+ "channel": "WinINet API telemetry"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process, network"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Unusual POST requests to admin or upload endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious POSTs to upload endpoints"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Authentication failures or unusual community string usage in SNMP queries"
+ },
+ {
+ "name": "API:ConfigRepoAudit",
+ "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "Traffic on RPC DRSUAPI"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/data-components/DC0032",
+ "external_id": "DC0032"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T19:28:39.339Z",
+ "name": "Process Creation",
+ "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - EDRs provide process telemetry, tracking execution flows and arguments.\n- Windows Event Logs:\n - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation): Provides detailed logging\n- Linux/macOS Monitoring:\n - AuditD (execve syscall): Logs process creation.\n - eBPF/XDP: Used for low-level monitoring of system calls related to process execution.\n - OSQuery: Allows SQL-like queries to track process events (process_events table).\n - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.\n- Network-Based Monitoring:\n - Zeek (Bro) Logs: Captures network-based process execution related to remote shells.\n - Syslog/OSSEC: Tracks execution of processes on distributed systems.\n- Behavioral SIEM Rules:\n - Monitor process creation for uncommon binaries in user directories.\n - Detect processes with suspicious command-line arguments. ",
+ "x_mitre_data_source_ref": "",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream 'eventMessage contains pubsub or broker'"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=1"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Execution of binary resolved from $PATH not located in /usr/bin or /bin"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution path inconsistent with baseline PATH directories"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process_events"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of launchctl with suspicious arguments"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve network tools"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls to soffice.bin with suspicious macro execution flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process reading browser configuration paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec logs"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execve: Processes launched with LD_PRELOAD/LD_LIBRARY_PATH pointing to non-system dirs"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: Process execution context for loaders calling dlopen/dlsym"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "EXECVE"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execution of unexpected binaries during user shell startup"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launch of Terminal.app or shell with non-standard environment setup"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC with unusual parent-child process relationships from zsh"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of systemctl or service stop"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of launchctl or pkill"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process::exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of klist, kinit, or tools interacting with ccache outside normal user context"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Execution of non-standard binaries accessing Kerberos APIs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Electron-based binary spawning shell or script interpreter"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Electron app spawning unexpected child process"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/root/.ash_history or /etc/init.d/*"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls with high-frequency or known bandwidth-intensive tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec or spawn calls to proxy tools or torrent clients"
+ },
+ {
+ "name": "containers:osquery",
+ "channel": "bandwidth-intensive command execution from within a container namespace"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process launch"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --info --predicate 'subsystem == \"com.apple.cfprefsd\"'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of security, sqlite3, or unauthorized binaries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected applications generating outbound DNS queries"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "EventCode=1"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected child process of Safari or Chrome"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or syscall invoking vm artifact check commands (e.g., dmidecode, lspci, dmesg)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of system_profiler, ioreg, kextstat with argument patterns related to VM/sandbox checks"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process writes or modifies files in excluded paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.mail.* exec.*"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of memory inspection tools (lldb, gdb, osqueryi)"
+ },
+ {
+ "name": "esxi:vobd",
+ "channel": "/var/log/vobd.log"
+ },
+ {
+ "name": "kubernetes:apiserver",
+ "channel": "kubectl exec or kubelet API calls targeting running pods"
+ },
+ {
+ "name": "docker:audit",
+ "channel": "Process execution events within container namespace context"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "process persists beyond parent shell termination"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "background process persists beyond user logout"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "process execution across cloud VM"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "systemctl spawning managed processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/shell.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec events where web process starts a shell/tooling"
+ },
+ {
+ "name": "docker:events",
+ "channel": "Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec of osascript, bash, curl with suspicious parameters"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "es_event_exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of discovery commands targeting backup binaries, processes, or config paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution logs showing discovery commands like mdfind, system_profiler, or launchctl list"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events OR launchd"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd or process_events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process and file events via log stream"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of scripts or binaries spawned from browser processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Browser processes launching unexpected interpreters (osascript, bash)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of defaults, plutil, or common editors (vim/nano) targeting plist files"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "EXECVE"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of bash, python, or perl processes spawned by browser/email client"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of osascript, bash, or Terminal initiated from Mail.app or Safari"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of /bin/sh,/bin/bash,/usr/bin/curl,/usr/bin/python by service accounts (e.g., apache, mysql, nobody) immediately after inbound network activity."
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "parent_name in ('sshd','httpd','screensharingd') spawning shells or scripting runtimes."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process activity stream"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "SYSCALL record where exe contains passwd/userdel/chage and auid != root"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Post-login execution of unrecognized child process from launchd or loginwindow"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process command line contains base64, -enc, openssl enc -base64"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: arguments contain Base64-like strings"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "commands containing base64, openssl enc -base64, xxd -p"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of process launched via loginwindow session restore"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: exec + filewrite: ~/.ssh/authorized_keys"
+ },
+ {
+ "name": "containerd:runtime",
+ "channel": "/var/log/containers/*.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Java apps or other processes with hidden window attributes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process Execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve on code or jetbrains-gateway with remote flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: code or jetbrains-gateway launching with --tunnel or --remote"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'processImagePath CONTAINS \"curl\" OR \"osascript\"'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of dd, shred, wipe targeting block devices"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of sleep or ping command within script interpreted by bash/python"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or socket/connect system calls from processes using crypto libraries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process using AES/RC4 routines unexpectedly"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "execution of known firewall binaries"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "execve: command like 'date', 'timedatectl', 'hwclock', 'cat /etc/timezone'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: binary == \"/usr/sbin/systemsetup\" and args contains \"-gettimezone\""
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve: command LIKE '%systemsetup -gettimezone%' OR '%date%'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of osascript, curl, or unexpected automation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec /usr/bin/pwpolicy"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket(AF_PACKET|AF_INET, SOCK_RAW, *), setsockopt(\u2026 SO_ATTACH_FILTER|SO_ATTACH_BPF \u2026), bpf(cmd=BPF_PROG_LOAD), open/openat path=\"/dev/bpf*\" (BSD/macOS-like) or setcap cap_net_raw."
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "KERN messages about eBPF program load/verify or LSM denials related to bpf."
+ },
+ {
+ "name": "OpenBSM:AuditTrail",
+ "channel": "open/openat of /dev/bpf*; ioctl BIOCSETF-like operations."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Exec of tcpdump, rvictl, custom tools linked to libpcap.A.dylib; sysextd/systemextensionsctl events for NetworkExtension content filters."
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "/usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of known flash tools (e.g., flashrom, fwupd)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.firmwareupdater activity or update-firmware binary invoked"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec or spawn of 'system_profiler', 'ioreg', 'kextstat', 'sysctl', or calls to sysctl API"
+ },
+ {
+ "name": "macos:endpointSecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve: Processes unexpectedly invoking Keychain or authentication APIs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: execve calls where a browser/webview process is parent and child is interpreter (python, sh, ruby) or downloader (curl, wget)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process_create: Process creation where parent is Safari/Google Chrome and child is script interpreter or signed-but-unusual helper binary"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "None"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:launch"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Shell commands invoked by SQL process such as postgres, mysqld, or mariadbd"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of \"sharing -l\", \"smbutil view\", \"mount_smbfs\""
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of scp, rsync, curl with remote destination"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "logMessage contains pbpaste or osascript"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process launch of diskutil or system_profiler with SPStorageDataType"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "execution of esxcli with args matching 'storage', 'filesystem', 'core device list'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Mail.app executing with parameters updating rules state"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/vmkernel.log, /var/log/vmkwarning.log"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera"
+ },
+ {
+ "name": "kubernetes:apiserver",
+ "channel": "exec into pod followed by secret retrieval via API"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process_name IN (\"VBoxManage\", \"prlctl\") AND command CONTAINS (\"list\", \"show\")"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec srm|exec openssl|exec gpg"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Process execution with LD_PRELOAD or modified library path"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of process with DYLD_INSERT_LIBRARIES set"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "process creation events linked to container namespaces executing host-level binaries"
+ },
+ {
+ "name": "WinEventlog:Security",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process and signing chain events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchservices events for misleading extensions"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "Execution of disguised binaries"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process listening or connecting on non-standard ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd services binding to non-standard ports"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, connect"
+ },
+ {
+ "name": "esxi:cron",
+ "channel": "process or cron activity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of binaries with unsigned or anomalously signed certificates"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve logging for /usr/bin/systemctl and systemd-run"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Invocation of osascript or dylib injection"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of files saved in mail or download directories"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Terminal, osascript, or other interpreters originating from Mail or Preview"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process events"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of CLI tools like psql, mysql, mongo, sqlite3"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process start of Java or native DB client tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "loginwindow or tccd-related entries"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "query: process_events, launchd, and tcc.db access"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "process execution or network connect from just-created container PID namespace"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of pip, npm, gem, or similar package managers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Command line invocation of pip3, brew install, npm install from interactive Terminal"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "fork/exec of service via PID 1 (systemd)"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of ssh/scp/sftp without corresponding authentication log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of ssh or sftp without corresponding login event"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: execve where exe=/usr/bin/python3 or similar interpreter"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launch of remote desktop app or helper binary"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected processes making network calls based on DNS-derived ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl spawning new processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl activity and process creation"
+ },
+ {
+ "name": "containerd:events",
+ "channel": "New container with suspicious image name or high resource usage"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Python, Swift, or other binaries invoking archiving libraries"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Processes linked with libssl or crypto libraries making outbound connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process invoking SSL routines from Security framework"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of binaries located in /etc/init.d/ or systemd service paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of binary listed in newly modified LaunchAgent plist"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of bless or nvram modifying boot parameters"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected processes registered with launchd"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process launch"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of curl, osascript, or unexpected Office processes"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "exec"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Trust validation failures or bypass attempts during notarization and code signing checks"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "spawned shell or execution environment activity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process_exec: image in {/bin/bash,/bin/zsh,/usr/bin/osascript,/usr/bin/python*,/usr/bin/curl,/usr/bin/ssh,/usr/bin/open} AND parent in {Preview, TextEdit, Microsoft Word, Microsoft Excel, AdobeReader, Archive Utility, Finder}"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: exe in {/bin/bash,/bin/sh,/usr/bin/python*,/usr/bin/perl,/usr/bin/php,/usr/bin/node,/usr/bin/curl,/usr/bin/wget,/usr/bin/xdg-open,/usr/bin/ssh,/usr/bin/rundll32 (wine)} AND ppid process is a document viewer/browser"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of dd/sgdisk with arguments writing to sector 0 or partition table"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of zip, ditto, hdiutil, or openssl by processes not normally associated with archiving"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for chmod, chown, chflags with unusual parameters or targets"
+ },
+ {
+ "name": "m365:defender",
+ "channel": "AdvancedHunting(DeviceEvents, ProcessCreate, ImageLoad, AMSI/ETW derived signals)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execve or dylib load from memory without backing file"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands that alter firewall or start listeners: iptables|nft|ufw|firewall-cmd|pfctl|systemctl start sshd/telnet/dropbear; raw-socket/libpcap tools (tcpdump, tshark, nmap --raw)."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers."
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Shell Execution"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unusual child process tree indicating attempted recovery after crash"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of binaries/scripts presenting false health messages for security daemons"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of processes mimicking Apple Security & Privacy GUIs"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Security-Auditing",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, setifflags"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events where path like '%tcpdump%'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of dd, shred, or wipe with arguments targeting block devices"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "systemctl stop auditd, kill -9 , or modifications to /etc/selinux/config"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of curl, git, or Office processes with network connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream - process subsystem"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls for qemu-system*, kvm, or VBoxHeadless"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution for VBoxHeadless, prl_vm_app, vmware-vmx"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process logs"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "command line or log output shows non-standard encoding routines"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "commands containing long non-standard tokens or custom lookup tables"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of /usr/sbin/installer spawning child process from within /private/tmp or package contents"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of dpkg or rpm followed by fork/execve from within postinst, prerm, etc."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execve: Helper tools invoked through XPC executing unexpected binaries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of modified binary without valid signature"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: exe in (/usr/bin/bash,/usr/bin/sh,/usr/bin/zsh,/usr/bin/python*) AND cmdline matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64\\s*-d|python\\s*-c'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: ParentImage in (Terminal, iTerm2) AND Image in (/bin/zsh,/bin/bash,/usr/bin/python*) AND CommandLine matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64 -D|python -c'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process created with repeated ICMP or UDP flood behavior"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "binary execution of security_authtrampoline"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: exec"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Exec"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Child processes of Safari, Chrome, or Firefox executing scripting interpreters"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of older or non-standard interpreters"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process execution events for permission modification utilities with command-line analysis"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for chmod, chown, chflags with parameter analysis and target path examination"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process execution monitoring for permission modification utilities with command-line argument analysis"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Invocation of packet generation tools (e.g., hping3, nping) or fork bombs"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Execution of flooding tools or compiled packet generators"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "process"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve for proxy tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process, socket, and DNS logs"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events table"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Command line containing `trap` or `echo 'trap` written to login shell files"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log collect --predicate"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or nanosleep with no stdout/stderr I/O"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd or osascript spawns process with delay command"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "systemd-udevd spawning user-defined action from RUN+="
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:spawn"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'eventMessage contains \"exec\"'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "cat|less|grep accessing .bash_history from a non-shell process"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of dpkg, rpm, or other package manager with list flag"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of system_profiler or osascript invoking enumeration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "apache2 or nginx spawning sh, bash, or python interpreter"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "httpd spawning bash, zsh, python, or osascript"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of security or osascript"
+ },
+ {
+ "name": "WinEventLog:security",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd spawning processes tied to new or modified LaunchDaemon .plist entries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of ping, nping, or crafted network packets via bash or python to reflection services"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of commands modifying iptables/nftables to block selective IPs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "System process modifications altering DNS/proxy settings"
+ },
+ {
+ "name": "containerd:Events",
+ "channel": "unusual process spawned from container image context"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "curl, python scripts, rsync with internal share URLs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: spawn, exec"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process creation events where command line = pmset with arguments affecting sleep, hibernatemode, displaysleep"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected apps performing repeated DNS lookups"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchservices or loginwindow events"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve with LD_PRELOAD or linker-related environment variables set"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of process with DYLD_INSERT_LIBRARIES set"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious Swift/Objective-C or scripting processes writing archive-like outputs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of re-parented process"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Anomalous parent PID change"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process creation with parent PID of 1 (launchd)"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "child process invoking dynamic linker post-ptrace"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Processes executing kextload, spctl, or modifying kernel extension directories"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Unsigned or ad-hoc signed process executions in user contexts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of diskutil or hdiutil attaching hidden partitions"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process event monitoring with focus on discovery utilities and cryptographic framework usage correlation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected apps generating frequent DNS queries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket: Suspicious creation of AF_UNIX sockets outside expected daemons"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Non-standard processes invoking financial applications or payment APIs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "systemctl enable/start: Creation/enablement of custom .service units in /etc/systemd/system"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process exec of remote-control apps or binaries with headless/connect flags"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of launchctl unload, kill, or removal of security agent daemons"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process activity, exec events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream process subsystem"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:exec and kext load events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --info --predicate 'eventMessage CONTAINS \"exec\"'"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-DotNETRuntime",
+ "channel": "Unexpected AppDomain creation events or anomalous AppDomainManager assembly load behavior"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of network stress tools or anomalies in socket/syscall behavior"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unsigned binary execution following SIP change"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of binaries with TCC protected access under unexpected parent processes such as Finder.app, SystemUIServer, or nsurlsessiond"
+ },
+ {
+ "name": "WinEventLog:AppLocker",
+ "channel": "EventCode=8003,8004"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, unlink"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd, processes"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "socat, ssh, or nc processes opening unexpected ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution of ssh with -L/-R forwarding flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd or cron spawning mining binaries"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or socket/connect system calls for processes using RSA handshake"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process invoking SecKeyCreateRandomKey or asymmetric crypto APIs"
+ },
+ {
+ "name": "azure:vmguest",
+ "channel": "Unexpected execution of cloud agent processes (e.g., WindowsAzureGuestAgent.exe, ssm-agent) followed by arbitrary script or binary execution"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Script interpreter invoked by nginx/apache worker process"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of Office binaries with network activity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launch of bash/zsh/python/osascript targeting key file locations"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of /sbin/emond with child processes launched"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "provider: ETW CreateProcess events linking msbuild.exe to suspicious children where standard logs are incomplete"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "shutdown -h now or reboot"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Code.app, idea, JetBrainsToolbox, eclipse with install/extension flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis"
+ },
+ {
+ "name": "OpenBSM:AuditTrail",
+ "channel": "BSM audit events for process execution and system call monitoring during reconnaissance"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "host daemon events related to VM operations and configuration queries during reconnaissance"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "VMware kernel events for hardware and system configuration access during environmental validation"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "processes modifying environment variables related to history logging"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: parent process is usb/hid device handler, child process bash/python invoked"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of curl, rclone, or Office apps invoking network sessions"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of kextstat, kextfind, or ioreg targeting driver information"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process creation involving binaries interacting with resource fork data"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process event"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of suspicious exploit binaries targeting security daemons"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve: Unsigned or unnotarized processes launched with high privileges"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "security OR injection attempts into 1Password OR LastPass"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "created": "2023-03-13T20:48:14.540Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0118",
+ "external_id": "DC0118"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "System Settings",
+ "description": "Settings visible to the user on the device",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "created": "2023-03-13T19:59:14.491Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0112",
+ "external_id": "DC0112"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "API Calls",
+ "description": "API calls utilized by an application that could indicate malicious activity",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+ "created": "2024-03-29T14:59:30.164Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0119",
+ "external_id": "DC0119"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Application Assets",
+ "description": "Additional assets included with an application",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0033",
+ "external_id": "DC0033"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:36.181Z",
+ "name": "Process Termination",
+ "description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor process termination events.\n- Windows Event Logs:\n - Event ID 4689 (Process Termination) \u2013 Captures when a process exits, including process ID and parent process.\n - Event ID 7036 (Service Control Manager) \u2013 Monitors system service stops.\n- Sysmon (Windows):\n - Event ID 5 (Process Termination) \u2013 Detects when a process exits, including parent-child relationships.\n- Linux/macOS Monitoring:\n - AuditD (`execve`, `exit_group`, `kill` syscalls) \u2013 Captures process termination via command-line interactions.\n - eBPF/XDP: Monitors low-level system calls related to process termination.\n - OSQuery: The processes table can be queried for abnormal exits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=5"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unexpected termination of daemons or critical services not aligned with admin change tickets"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_termination: Unexpected termination of processes tied to vulnerable or high-value services"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Log entries indicating VM powered off or forcibly terminated"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Terminal process killed (killall Terminal) immediately after sudoers modification"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "exit_group"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process.*exit.*code"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "unexpected termination of syslog or rsyslog processes"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Process segfault or abnormal termination after invoking vulnerable syscall sequence"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "kill syscalls targeting logging/security processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Termination of syspolicyd or XProtect processes"
+ },
+ {
+ "name": "docker:runtime",
+ "channel": "Termination of monitoring sidecar or security container"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0064",
+ "external_id": "DC0064"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:34.849Z",
+ "name": "Command Execution",
+ "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.\n\nThis data component can be collected through the following measures:\n\nEnable Command Logging\n\n- Windows:\n - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockLogging -Value 1`\n - Enable Windows Event Logging:\n - Event ID 4688: Tracks process creation, including command-line arguments.\n - Event ID 4104: Logs PowerShell script block execution.\n- Linux/macOS:\n - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='history -a; history -w'`\n - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`\n- Containers:\n - Use runtime-specific tools like Docker\u2019s --log-driver or Kubernetes Audit Logs to capture exec commands.\n\nIntegrate with Centralized Logging\n\n- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:\n`index=windows EventID=4688 CommandLine=*`\n\nUse Endpoint Detection and Response (EDR) Tools\n\n- Monitor command executions via EDR solutions \n\nDeploy Sysmon for Advanced Logging (Windows)\n\n- Use Sysmon's Event ID 1 to log process creation with command-line arguments",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dsconfigad or dscl with create or append options for AD-bound users"
+ },
+ {
+ "name": "EDR:AMSI",
+ "channel": "None"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "/var/log/syslog or journalctl"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Get-ADTrust|GetAllTrustRelationships"
+ },
+ {
+ "name": "gcp:audit",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of script interpreters by systemd timer (ExecStart)"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "InvokeFunction"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Automated forwarding or file sync initiated by a logic app"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4104"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Suspicious script or command execution targeting browser folders"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "snapshot create/copy, esxcli"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands like systemctl stop , service stop, or kill -9 "
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl unload, kill, or pkill commands affecting daemons or background services"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of security-agent detection or enumeration commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox"
+ },
+ {
+ "name": "m365:messagetrace",
+ "channel": "Inbound email triggers execution of mailbox-stored custom form"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Use of mv or cp to rename files with '.' prefix"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of chflags hidden or SetFile -a V"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "interactive shell"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "CLI command"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "/var/log/vmkernel.log"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls to locale, timedatectl, or cat /etc/timezone"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "defaults read -g AppleLocale, systemsetup -gettimezone"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "profiles install -type=configuration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "sleep function usage or loops (nanosleep, usleep) in scripts"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests"
+ },
+ {
+ "name": "EDR:cli",
+ "channel": "Command Line Telemetry"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Command Audit / Configuration Change"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor",
+ "channel": "Outlook loading add-in via unexpected load path or non-default profile context"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=4104"
+ },
+ {
+ "name": "WinEventLog:Powershell",
+ "channel": "EventCode=4104"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "gcore, gdb, strings, hexdump execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect, execve, write"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "command execution"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd"
+ },
+ {
+ "name": "macos:syslog",
+ "channel": "system.log"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "/var/log/hostd.log"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/shell.log"
+ },
+ {
+ "name": "docker:daemon",
+ "channel": "docker exec or docker run with unexpected command/entrypoint"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve call including 'nohup' or trailing '&'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "nohup, disown, or osascript execution patterns"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "CommandLine=copy-item or robocopy from UNC path"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "invoked remote scripts (esxcli)"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execution of systemctl with subcommands start, stop, enable, disable"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Policy Update"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "None"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand"
+ },
+ {
+ "name": "gcp:audit",
+ "channel": "methodName: setIamPolicy, startInstance, createServiceAccount"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "modification of config files or shell command execution"
+ },
+ {
+ "name": "kubernetes:audit",
+ "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of 'profiles install -type=configuration'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem:com.apple.Terminal"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "eventlog"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "shell access or job registration"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "PowerShell launched from outlook.exe or triggered without user invocation"
+ },
+ {
+ "name": "m365:messagetrace",
+ "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic"
+ },
+ {
+ "name": "linus:syslog",
+ "channel": "None"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103,4104"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "base64 or curl processes chained within short execution window"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "base64 or gzip use within shell session"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "chmod, execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "command includes dscl . delete or sysadminctl --deleteUser"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "file system activity monitor"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "ip ssh pubkey-chain"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "scripts or binaries with misleading names"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of GUI-related binaries with suppressed window/display flags"
+ },
+ {
+ "name": "linuxsyslog",
+ "channel": "nslcd or winbind logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "DS daemon log entries"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "logline inspection"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "diskutil eraseDisk / asr restore with destructive flags"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "erase flash:, erase startup-config, format disk"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command_exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: iptables, nft, firewall-cmd modifications"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "esxcli network firewall set commands"
+ },
+ {
+ "name": "docker:events",
+ "channel": "container exec rm|container stop --force"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "event stream"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "CLI command logs"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/shell.log entries containing \"esxcli system clock get\""
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "cmd: cmd=show clock detail"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl -X POST, wget --post-data"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "pwpolicy|PasswordPolicy"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "CLI command audit"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config"
+ },
+ {
+ "name": "m365:messagetrace",
+ "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Command line contains smbutil view //, mount_smbfs //"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Invocation of scp, rsync, curl, or sftp"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "scp/ssh used to move file across hosts"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "command line arguments containing lsblk, fdisk, parted"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log messages related to disk enumeration context or Terminal session"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls modifying local mail filter configuration files"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "None"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "None"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "None"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user"
+ },
+ {
+ "name": "docker:api",
+ "channel": "docker logs access or container inspect commands from non-administrative users"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "openssl|tar|dd"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "SSM RunCommand"
+ },
+ {
+ "name": "azure:activity",
+ "channel": "Intune PowerShell Scripts"
+ },
+ {
+ "name": "m365:exchange",
+ "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "boot logs"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "system boot logs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "defaults write com.apple.system.logging or logd manipulation"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "esxcli system syslog config set or reload"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: openssl pkcs12, certutil, keytool"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process calling security find-certificate, export, or import"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args"
+ },
+ {
+ "name": "m365:exchange",
+ "channel": "Get-RoleGroup, Get-DistributionGroup"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of systemctl or service with enable/start parameters"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of log show, fs_usage, or cat targeting system.log"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "CLI usage logs"
+ },
+ {
+ "name": "macos:syslog",
+ "channel": "/var/log/system.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of launchctl load/unload/start commands"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Exchange Cmdlets"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, USER_CMD"
+ },
+ {
+ "name": "auditd:USER_CMD",
+ "channel": "USER_CMD"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Command execution trace"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Command-line includes base64 -d or openssl enc -d"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "base64 -d or osascript invoked on staged file"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl -d, wget --post-data"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Processes executing sendmail/postfix with forged headers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "format flash:, format disk, reformat commands"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files"
+ },
+ {
+ "name": "networkdevice:Firewall",
+ "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "grep/cat/awk on files with password fields"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "grep/cat on files matching credential patterns"
+ },
+ {
+ "name": "kubernetes:audit",
+ "channel": "process execution involving curl, grep, or awk on secrets"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "command-line execution invoking credential enumeration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "promiscuous mode transitions (ioctl or ifconfig)"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "access to BPF devices or interface IOCTLs"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "exec command='monitor capture'"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Office-Alerts",
+ "channel": "Unexpected DLL or component loaded at Office startup"
+ },
+ {
+ "name": "m365:office",
+ "channel": "Startup execution includes non-default component"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "erase flash:, erase nvram:, format disk"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "esxcli system syslog config set --loghost='' or stopping hostd service"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "no logging buffered, no aaa new-model, disable firewall"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "git push, curl -X POST"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "command logging"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "command log"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "command logs"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "interactive shell logging"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "chattr, rm, shred, dd run on recovery directories or partitions"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command sequence: erase \u2192 format \u2192 reload"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: at, job runner"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Interpreter exec with suspicious arguments as above"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of dscl . create with IsHidden=1"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sshd logs"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Shell Access/Command Execution"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "CLI Command Logging"
+ },
+ {
+ "name": "auditd:CONFIG_CHANGE",
+ "channel": "udev rule reload or trigger command executed"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "Shell history logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "command logging"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Command Execution"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd + process_events"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "DCUI shell start, BusyBox activity"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "remote CLI + vim-cmd logging"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "CLI Command Audit"
+ },
+ {
+ "name": "m365:defender",
+ "channel": "Activity Log: Command Invocation"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "CmdletName: Get-Recipient, Get-User"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets"
+ },
+ {
+ "name": "linux:shell",
+ "channel": "Manual invocation of software enumeration commands via interactive shell"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Command line arguments including SPApplicationsDataType"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "ssm:GetCommandInvocation"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "esxcli software vib list"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execution of setfattr or getfattr commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "xattr utility execution with -w or -p flags"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of tools like cat, grep, or awk on credential files"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of curl, rsync, wget with internal knowledge base or IPs"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/root/.ash_history"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103,4104,4105, 4106"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of xev, xdotool, or input activity emulators"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl load or boot-time plist registration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command audit"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Interface commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dscl -create"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "esxcli system account add"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "useradd or /etc/passwd modified inside container"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "kextload execution from Terminal or suspicious paths"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of PowerShell without -NoProfile flag"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "xattr -d com.apple.quarantine or similar removal commands"
+ },
+ {
+ "name": "azure:signinLogs",
+ "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Sudo or root escalation followed by filesystem mount commands"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4101"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4105"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4106"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "process title records containing discovery command sequences and environmental assessment patterns"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Set-Mailbox, New-InboxRule"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of chattr to set +i or +a attributes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of chflags hidden or setfile -a V"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "mv, rename, or chmod commands moving VM files into hidden directories"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "execution + payload hints"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process_events.command_line"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:spawn, process:exec"
+ },
+ {
+ "name": "esxi:vobd",
+ "channel": "shell session start"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "shell command"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Office-Alerts",
+ "channel": "Office application warning or alert on macro execution from template"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation"
+ },
+ {
+ "name": "m365:office",
+ "channel": "Execution of unsigned macro from template"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "Terminal Command History"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "csrutil disable"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log show --predicate 'process == '"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Privilege-level command execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection"
+ },
+ {
+ "name": "saas:PRMetadata",
+ "channel": "Commit message or branch name contains encoded strings or payload indicators"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Unexpected restarts of management agents or shell access"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl or wget with POST/PUT options"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Detected CLI command to export key material"
+ },
+ {
+ "name": "networkdevice:config",
+ "channel": "PKI export or certificate manipulation commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "command execution triggered by emond (e.g., shell, curl, python)"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "esxcli, vim-cmd invocation"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "CLI session activity"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve=/sbin/shutdown or /sbin/reboot"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "esxcli system shutdown or reboot invoked"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "reload command issued"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103, 4104"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration"
+ },
+ {
+ "name": "vpxd.log",
+ "channel": "VM inventory queries and configuration enumeration through vCenter API calls"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Set or unset HIST* variables in shell environment"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "unset HISTFILE or HISTFILESIZE modifications"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Commands like 'no logging' or equivalents that disable session history"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls to /usr/bin/locale or shell execution of $LANG"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "defaults read -g AppleLocale or systemsetup -gettimezone"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl -T, rclone copy"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of systemctl or service with enable/start/modify"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl load/unload or plist file modification"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "syslog facility LOCAL7 or trap messages"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "/home/*/.bash_history"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules"
+ },
+ {
+ "name": "networkdevice:config",
+ "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dscl . -create"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "vCenter Management"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+ "created": "2023-03-13T20:00:38.029Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0115",
+ "external_id": "DC0115"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Protected Configuration",
+ "description": "Device configuration options that are not typically utilized by benign applications",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "created": "2023-03-13T19:59:42.141Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0113",
+ "external_id": "DC0113"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Network Communication",
+ "description": "Network requests made by an application or domains contacted",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0018",
+ "external_id": "DC0018"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:37.544Z",
+ "name": "Host Status",
+ "description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "interface_details "
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Web service process (e.g., httpd) entering crash loop or consuming excessive CPU"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "Sustained spike in CPU usage on EC2 instance with web service role"
+ },
+ {
+ "name": "WinEventLog:System",
+ "channel": "System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Out of memory killer invoked or kernel panic entries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Spike in CPU or memory use from non-user-initiated processes"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3)"
+ },
+ {
+ "name": "kubernetes:events",
+ "channel": "CrashLoopBackOff, OOMKilled, container restart count exceeds threshold"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=16"
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "High sustained CPU usage by a single process"
+ },
+ {
+ "name": "linux:procfs",
+ "channel": "Sustained high /proc/[pid]/stat usage"
+ },
+ {
+ "name": "CloudWatch:Metrics",
+ "channel": "Sustained EC2 CPU usage above normal baseline"
+ },
+ {
+ "name": "prometheus:metrics",
+ "channel": "Container CPU/Memory usage exceeding threshold"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Service stop or disable messages for security tools not reflected in SIEM alerts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons"
+ },
+ {
+ "name": "CloudWatch:InstanceMetrics",
+ "channel": "NetworkOut spike beyond baseline"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-TCPIP",
+ "channel": "Connection queue overflow or failure to allocate TCP state object"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP: possible SYN flood or backlog limit exceeded"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network stack resource exhaustion, tcp_accept queue overflow, repeated resets"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=1166, 7045"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "firmware_update, kexec_load"
+ },
+ {
+ "name": "journald:boot",
+ "channel": "Secure Boot failure, firmware version change"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "EFI firmware integrity check failed"
+ },
+ {
+ "name": "macos:syslog",
+ "channel": "Hardware UUID or device list drift"
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "Sudden spike in outbound throughput without corresponding inbound traffic"
+ },
+ {
+ "name": "sar:network",
+ "channel": "Outbound network saturation with minimal process activity"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "Sudden spike in network output without a corresponding inbound request ratio"
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "Sudden spikes in CPU/Memory usage linked to specific application processes"
+ },
+ {
+ "name": "CloudMetrics:InstanceHealth",
+ "channel": "Autoscaling, memory/cpu alarms, or instance unhealthiness"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "System Integrity Protection (SIP) state reported as disabled"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "Unusual CPU burst or metric anomalies"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=1074"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=6006"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "system is powering down"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "System shutdown or reboot requested"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Powering off or restarting host"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "System reboot scheduled or performed"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0021",
+ "external_id": "DC0021"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:36.999Z",
+ "name": "OS API Execution",
+ "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Leverage tools to monitor API execution behaviors at the process level.\n - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.\n- Process Monitor (ProcMon):\n - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.\n- Windows Event Logs:\n - Use Event IDs from Windows logs for specific API-related activities:\n - Event ID 4688: A new process has been created (can indirectly infer API use).\n - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).\n- Dynamic Analysis Tools:\n - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.\n- Host-Based Logs:\n - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.\n- Runtime Monitors:\n - Runtime security tools like Falco can monitor system-level calls for API execution.\n- Debugging and Tracing:\n - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Base",
+ "channel": "GetLocaleInfoW, GetTimeZoneInformation API calls"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "GetMetadata, DescribeInstanceIdentity"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "open, execve: Unexpected processes accessing or modifying critical files"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ptrace, ioctl"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "API tracing / stack tracing via ETW or telemetry-based EDR"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc)"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "aaa privilege_exec"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "APCQueueOperations"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Invocation of SMLoginItemSetEnabled by non-system or recently installed application"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "flock|NSDistributedLock|FileHandle.*lockForWriting"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Directory-Services-SAM",
+ "channel": "api_call: Calls to DsAddSidHistory or related RPC operations"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "application logs referencing NSTimer, sleep, or launchd delays"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Rules capturing clock_gettime, time, gettimeofday syscalls when enabled"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance"
+ },
+ {
+ "name": "etw:Microsoft-Windows-RPC",
+ "channel": "rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "smb_command: TreeConnectAndX to \\\\*\\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=4656"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Access decisions to kTCCServiceCamera for unexpected binaries"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "Objective\u2011C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "mmap, ptrace, process_vm_writev or direct memory ops"
+ },
+ {
+ "name": "WinEventLog:Application",
+ "channel": "API call to AddMonitor invoked by non-installer process"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Win32k",
+ "channel": "SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "unshare, mount, keyctl, setns syscalls executed by containerized processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "audio APIs"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-COM/Operational",
+ "channel": "CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.securityd, com.apple.tccd"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "send, recv, write: Abnormal interception or alteration of transmitted data"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "CALCULATE: Integrity validation of transmitted data via hash checks"
+ },
+ {
+ "name": "ETW:Token",
+ "channel": "token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "API Calls"
+ },
+ {
+ "name": "etw:Microsoft-Windows-DotNETRuntime",
+ "channel": "AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad"
+ },
+ {
+ "name": "auditd:MMAP",
+ "channel": "memory region with RWX permissions allocated"
+ },
+ {
+ "name": "snmp:trap",
+ "channel": "management queries"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "Describe* or List* API calls"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Win32k",
+ "channel": "SendMessage, PostMessage, LVM_*"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "sudo or pkexec invocation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "authorization execute privilege requests"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "NtQueryInformationProcess"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "ptrace: Processes invoking ptrace with PTRACE_TRACEME flag"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Remote access API calls and file uploads"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Execution of modified binaries or abnormal library load sequences"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "access or unlock attempt to keychain database"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of input detection APIs (e.g., CGEventSourceKeyState)"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "mount system call with bind or remap flags"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "Decrypt"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-File",
+ "channel": "ZwSetEaFile or ZwQueryEaFile function calls"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "fork/clone/daemon syscall tracing"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "Detached process execution with no associated parent"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ptrace, mmap, mprotect, open, dlopen"
+ },
+ {
+ "name": "ETW:ProcThread",
+ "channel": "api_call: CreateProcessWithTokenW, CreateProcessAsUserW"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "MemoryWriteToExecutable"
+ },
+ {
+ "name": "ETW:Token",
+ "channel": "api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Security-Auditing",
+ "channel": "api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "API calls"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ptrace, mmap, process_vm_writev"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of dd or sed targeting /proc/*/mem"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx"
+ },
+ {
+ "name": "ETW",
+ "channel": "Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses"
+ },
+ {
+ "name": "EDR:file",
+ "channel": "SetFileTime"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "created": "2021-10-20T15:05:19.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0078",
+ "external_id": "DC0078"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:34.703Z",
+ "name": "Network Traffic Flow",
+ "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.\n\n*Data Collection Measures:*\n\n- Network Flow Logs (Metadata Collection)\n - NetFlow \n - Summarized metadata for network conversations (no packet payloads).\n - sFlow (Sampled Flow Logging)\n - Captures sampled packets from switches and routers.\n - Used for real-time traffic monitoring and anomaly detection.\n - Zeek (Bro) Flow Logs\n - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.\n- Host-Based Collection\n - Sysmon Event ID 3 \u2013 Network Connection Initiated\n - Logs process-level network activity, useful for detecting malicious outbound connections.\n - AuditD (Linux) \u2013 syscall=connect\n - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Flow Monitoring\n - AWS VPC Flow Logs\n - Captures metadata for traffic between EC2 instances, security groups, and internet gateways.\n - Azure NSG Flow Logs / Google VPC Flow Logs\n - Logs ingress/egress traffic for cloud-based resources.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "socket_events"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected flows between segmented networks or prohibited ports"
+ },
+ {
+ "name": "snmp:config",
+ "channel": "Configuration change traps or policy enforcement failures"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time outbound connections to package registries or unknown hosts immediately after restore/build"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to new registries/CDNs post-install/build"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to non-approved registries after dependency install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connections to TCP 139,445 and HTTP/HTTPS to WebDAV endpoints from workstation subnets"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large outbound data flows or long-duration connections"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "egress > 90th percentile or frequent connection reuse"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "esxcli network vswitch or DNS resolver configuration updates"
+ },
+ {
+ "name": "esxi:vobd",
+ "channel": "Network Events"
+ },
+ {
+ "name": "iptables:LOG",
+ "channel": "TCP connections"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection metadata"
+ },
+ {
+ "name": "wineventlog:dhcp",
+ "channel": "DHCP Lease Granted"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "LEASE_GRANTED"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "MAC not in allow-list acquiring IP (DHCP)"
+ },
+ {
+ "name": "Windows Firewall Log",
+ "channel": "SMB over high port"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Internal connection logging"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "pf firewall logs"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "/var/log/vmkernel.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inter-segment traffic"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Long-lived or hijacked SSH sessions maintained with no active user activity"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "VPC/NSG flow logs for pod/instance egress to Internet or metadata"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious outbound traffic from browser binary to non-standard domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Abnormal browser traffic volume or destination"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound requests to domains not previously resolved or associated with phishing campaigns"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic to domains/IPs not previously resolved, occurring shortly after attachment download or link click"
+ },
+ {
+ "name": "M365Defender:DeviceNetworkEvents",
+ "channel": "NetworkConnection: bytes_sent >> bytes_received anomaly"
+ },
+ {
+ "name": "PF:Logs",
+ "channel": "outbound flows with bytes_out >> bytes_in"
+ },
+ {
+ "name": "NSX:FlowLogs",
+ "channel": "network_flow: bytes_out >> bytes_in to external"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "NetFlow/Zeek conn.log"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound data flows"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow records with entropy signatures resembling symmetric encryption"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "flow records"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "flow records"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "HTTPS POST to known webhook URLs"
+ },
+ {
+ "name": "saas:api",
+ "channel": "Webhook registrations or repeated POST activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Source/destination IP translation inconsistent with intended policy"
+ },
+ {
+ "name": "SNMP:DeviceLogs",
+ "channel": "Unexpected NAT translation statistics or rule insertion events"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Sudden spike in incoming flows to web service ports from single/multiple IPs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Unusual volume of inbound packets from single source across short time interval"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "port 5900 inbound"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP port 5900 open"
+ },
+ {
+ "name": "NSM:firewall",
+ "channel": "inbound connection to port 5900"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Outbound connections to 139/445 to multiple destinations"
+ },
+ {
+ "name": "VPCFlowLogs:All",
+ "channel": "High volume internal traffic with low entropy indicating looped or malicious DoS script"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "NetFlow/sFlow/PCAP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound Network Flow"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.network"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Device-to-Device Deployment Flows"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect syscalls"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound TCP/UDP traffic over unexpected port"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "ESXi service connections on unexpected ports"
+ },
+ {
+ "name": "iptables:LOG",
+ "channel": "OUTBOUND"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "tcp/udp"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "CLI network calls"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic from suspicious new processes post-attachment execution"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious anomalies in transmitted data integrity during application network operations"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "DNS resolution events leading to outbound traffic on unexpected ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic to mining pools or proxies"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound flow logs to known mining pools"
+ },
+ {
+ "name": "container:cni",
+ "channel": "Outbound network traffic to mining proxies"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "TLS session established by ESXi service to unapproved endpoint"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Session records with TLS-like byte patterns"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "HTTPS POST requests to pastebin.com or similar"
+ },
+ {
+ "name": "NetFlow:Flow",
+ "channel": "new outbound connections from exploited process tree"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "new connections from exploited lineage"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected route changes or duplicate gateway advertisements"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
+ "channel": "EventCode=2004,2005,2006"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Knock pattern: repeated REJ/S0 across \u2265MinSequenceLen ports from same src_ip then SF success."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Firewall/PF anchor load or rule change events."
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Config/ACL changes, line vty transport input changes, telnet/ssh/http(s) enable, image/feature module changes."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to non-approved update hosts right after install/update"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New outbound flows to non-approved vendor hosts post install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New/rare egress to non-approved update hosts after install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large outbound HTTPS uploads to repo domains"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "HTTPS traffic to repository domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "alert log"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound flow records"
+ },
+ {
+ "name": "m365:defender",
+ "channel": "NetworkConnection: high out:in ratio, periodic beacons, protocol mismatch"
+ },
+ {
+ "name": "PF:Logs",
+ "channel": "high out:in ratio or fixed-size periodic flows"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "network_flow: bytes_out >> bytes_in, fixed packet sizes/intervals to non-approved CIDRs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect or sendto system call with burst pattern"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "sudden burst in outgoing packets from same PID"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "source instance sends large volume of traffic in short window"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "session stats with bytes_out > bytes_in"
+ },
+ {
+ "name": "NIDS:Flow",
+ "channel": "session stats with bytes_out > bytes_in"
+ },
+ {
+ "name": "esxi:vpxa",
+ "channel": "connection attempts and data transmission logs"
+ },
+ {
+ "name": "PF:Logs",
+ "channel": "External traffic to remote access services"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "High volumes of SYN/ACK packets with unacknowledged TCP handshakes"
+ },
+ {
+ "name": "dns:query",
+ "channel": "Outbound resolution to hidden service domains (e.g., `.onion`)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log + ssl.log with Tor fingerprinting"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "forwarded encrypted traffic"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Relayed session pathing (multi-hop)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound TCP SYN or UDP to multiple ports/hosts"
+ },
+ {
+ "name": "containerd:runtime",
+ "channel": "container-level outbound traffic events"
+ },
+ {
+ "name": "WLANLogs:Association",
+ "channel": "Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "socket_events"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "ARP cache modification attempts observed through event tracing or security baselines"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Gratuitous ARP replies with mismatched IP-MAC binding"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "ARP table updates inconsistent with expected gateway or DHCP lease assignments"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "networkd or com.apple.network"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream 'eventMessage contains \"dns_request\"'"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "/var/log/syslog.log"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "CreateTrafficMirrorSession or ModifyTrafficMirrorTarget"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Config change: CLI/NETCONF/SNMP \u2013 'monitor session', 'mirror port'"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound UDP floods targeting common reflection services with spoofed IP headers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Outbound UDP spikes to external reflector IPs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Large outbound UDP traffic to multiple public reflector IPs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "High entropy domain queries with multiple NXDOMAINs"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "Frequent DNS queries with high entropy names or NXDOMAIN results"
+ },
+ {
+ "name": "vpxd.log",
+ "channel": "API communication"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Outbound Connection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connection Tracking"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "pf firewall logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow Creation (NetFlow/sFlow)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log, icmp.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Gratuitous or duplicate DHCP OFFER packets from non-legitimate servers"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Inbound on ports 5985/5986"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Multiple IP addresses assigned to the same domain in rapid sequence"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Rapid domain-to-IP resolution changes for same domain"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "Frequent DNS resolution of same domain with rotating IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "uncommon ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "alternate ports"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log or flow data"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "egress log analysis"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "egress logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "High volume flows with incomplete TCP sessions or single-packet bursts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Knock pattern: multiple REJ/S0 to distinct closed ports then successful connection to service_port"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Firewall rule enable/disable or listen socket changes"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Config/ACL/line vty changes, service enable (telnet/ssh/http(s)), module reloads"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ioctl: Changes to wireless network interfaces (up, down, reassociate)"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "query: Historical list of associated SSIDs compared against baseline"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress from host after new install to unknown update endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to unknown registries/mirrors immediately after install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New egress from app just installed to unknown update endpoints"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "ESXi processes relaying traffic via SSH or unexpected ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connection to mining pool port (3333, 4444, 5555)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic to mining pool upon container launch"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow records with RSA key exchange on unexpected port"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connections from web server binaries (apache2, nginx, php-fpm) to unknown external IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "sustained outbound HTTPS sessions with high data volume"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connections from IDE hosts to marketplace/tunnel domains"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Outbound connections from IDE processes to marketplace/tunnel domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large HTTPS outbound uploads"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network flows to external cloud services"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP port 22 traffic"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "port 22 access"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "created": "2023-03-13T20:00:08.487Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0114",
+ "external_id": "DC0114"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Permissions Requests",
+ "description": "Permissions declared in an application's manifest or property list file",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "created": "2023-03-13T20:47:52.557Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0117",
+ "external_id": "DC0117"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "System Notifications",
+ "description": "Notifications generated by the OS",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "created": "2023-03-13T20:47:24.038Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0116",
+ "external_id": "DC0116"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Permissions Request",
+ "description": "System prompts triggered when an application requests new or additional permissions",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0034",
+ "external_id": "DC0034"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:14:35.331Z",
+ "name": "Process Metadata",
+ "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem=com.apple.process"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+ "channel": "CodeIntegrity/WDAC events indicating unsigned/invalid DLL loads"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sudo or service accounts invoking loaders with suspicious env vars"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Process Context"
+ },
+ {
+ "name": "esxi:auth",
+ "channel": "user session"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Admin activity"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve call for sudo where euid != uid"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem=com.apple.TCC"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec of binary with setuid/setgid and EUID != UID"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Use of fork/exec with DISPLAY unset or redirected"
+ },
+ {
+ "name": "EDR:Telemetry",
+ "channel": "Process lineage and API usage enrichment (GetSystemTime, GetTimeZoneInformation, NtQuerySystemTime)"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "/var/log/hostd.log API calls reading/altering time/ntp settings"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, prctl, or ptrace activity affecting process memory or command-line arguments"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Cross-reference argv[0] with actual executable path and parent process metadata"
+ },
+ {
+ "name": "WinEventLog:AppLocker",
+ "channel": "AppLocker audit/blocks showing developer utilities executing scripts/binaries outside policy"
+ },
+ {
+ "name": "EDR:hunting",
+ "channel": "Correlation of signer info, parent-child lineage, rare invocation context (user host role), and API surfaces (CreateProcess*, LoadLibrary*)"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode",
+ "channel": "ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads"
+ },
+ {
+ "name": "etw:Microsoft-Windows-ClickOnce",
+ "channel": "provider: Event Tracing for Windows (ETW) events associated with ClickOnce deployment (dfsvc.exe activity)"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Windows Camera Frame Server/Operational",
+ "channel": "Process session start/stop events for camera pipeline by unexpected executables"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "select: path LIKE '/dev/video%'"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "state=attached/debugged"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Code Execution & Entitlement Access"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "code signature/memory protection"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve with UID \u2260 EUID"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve with escalated privileges"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "cross-account or unexpected assume role"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log collect from launchd and process start"
+ },
+ {
+ "name": "containerd:events",
+ "channel": "Docker or containerd image pulls and process executions"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Kernel or daemon warnings of downgraded TLS or cryptographic settings"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Modifications or writes to EFI system partition for downgraded bootloaders"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "non-shell process tree accessing bash history"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process metadata mismatch between /proc and runtime attributes"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process environment variables containing LD_PRELOAD"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=400,403"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Process Execution + Hash"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "process_start: EventHeader.ProcessId true parent vs reported PPID mismatch"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_MMAP"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+ "channel": "Unsigned/invalid signature modules or images loaded by msbuild.exe or its children"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-DeviceGuard/Operational",
+ "channel": "WDAC policy audit/block affecting msbuild.exe spawned payloads"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-SmartAppControl/Operational",
+ "channel": "Smart App Control decisions (audit/block) for msbuild.exe-launched executables"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+ "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime"
+ }
+ ]
+ },
+ {
+ "type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datasources/DS0013",
+ "external_id": "DS0013"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Sensor Health",
+ "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
+ },
+ {
+ "type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
+ "created": "2023-03-13T19:36:25.108Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datasources/DS0042",
+ "external_id": "DS0042"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "User Interface",
+ "description": "Visual activity on the device that could alert the user to potentially malicious behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_collection_layers": [
+ "Device"
+ ]
+ },
+ {
+ "type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datasources/DS0017",
+ "external_id": "DS0017"
+ },
+ {
+ "source_name": "Confluence Linux Command Line",
+ "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.",
+ "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html"
+ },
+ {
+ "source_name": "Audit OSX",
+ "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.",
+ "url": "https://www.scip.ch/en/?labs.20150108"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Command",
+ "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "Linux",
+ "Network Devices",
+ "Windows",
+ "macOS",
+ "Android",
+ "iOS",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)",
+ "Austin Clark, @c2defense"
+ ],
+ "x_mitre_collection_layers": [
+ "Container",
+ "Host"
+ ]
+ },
+ {
+ "type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
+ "created": "2021-10-20T15:05:19.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datasources/DS0029",
+ "external_id": "DS0029"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Network Traffic",
+ "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Linux",
+ "Windows",
+ "macOS",
+ "Android",
+ "iOS",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)",
+ "ExtraHop"
+ ],
+ "x_mitre_collection_layers": [
+ "Cloud Control Plane",
+ "Host",
+ "Network"
+ ]
+ },
+ {
+ "type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
+ "created": "2023-03-13T19:30:41.131Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datasources/DS0041",
+ "external_id": "DS0041"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Application Vetting",
+ "description": "Application vetting report generated by an external cloud service.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_collection_layers": [
+ "Report"
+ ]
+ },
+ {
+ "type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datasources/DS0009",
+ "external_id": "DS0009"
+ },
+ {
+ "source_name": "Microsoft Processes and Threads",
+ "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.",
+ "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Process",
+ "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "Android",
+ "iOS",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
+ },
{
"modified": "2025-03-28T15:23:16.915Z",
"name": "Operation Triangulation",
@@ -15885,72 +30138,6 @@
"mobile-attack"
]
},
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:16:18.582Z",
- "name": "Host Status",
- "description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.",
- "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "created": "2023-03-13T19:59:14.491Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:21.246Z",
- "name": "API Calls",
- "description": "API calls utilized by an application that could indicate malicious activity",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
- "created": "2021-10-20T15:05:19.274Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:11:16.672Z",
- "name": "Network Traffic Content",
- "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
- "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"modified": "2024-04-11T15:10:14.209Z",
"name": "C0033",
@@ -16001,48 +30188,6 @@
"enterprise-attack"
]
},
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "created": "2023-03-13T20:00:08.487Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:21.394Z",
- "name": "Permissions Requests",
- "description": "Permissions declared in an application's manifest or property list file",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "created": "2023-03-13T20:48:14.540Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:21.541Z",
- "name": "System Settings",
- "description": "Settings visible to the user on the device",
- "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "intrusion-set",
"id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
@@ -16077,50 +30222,6 @@
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "created": "2023-03-13T19:59:42.141Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:21.724Z",
- "name": "Network Communication",
- "description": "Network requests made by an application or domains contacted",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
- "created": "2021-10-20T15:05:19.274Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:11:20.168Z",
- "name": "Network Traffic Flow",
- "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.\n\n*Data Collection Measures:*\n\n- Network Flow Logs (Metadata Collection)\n - NetFlow \n - Summarized metadata for network conversations (no packet payloads).\n - sFlow (Sampled Flow Logging)\n - Captures sampled packets from switches and routers.\n - Used for real-time traffic monitoring and anomaly detection.\n - Zeek (Bro) Flow Logs\n - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.\n- Host-Based Collection\n - Sysmon Event ID 3 \u2013 Network Connection Initiated\n - Logs process-level network activity, useful for detecting malicious outbound connections.\n - AuditD (Linux) \u2013 syscall=connect\n - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Flow Monitoring\n - AWS VPC Flow Logs\n - Captures metadata for traffic between EC2 instances, security groups, and internet gateways.\n - Azure NSG Flow Logs / Google VPC Flow Logs\n - Logs ingress/egress traffic for cloud-based resources.",
- "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"modified": "2024-11-17T14:15:51.850Z",
"name": "Windshift",
@@ -16173,61 +30274,6 @@
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "created": "2023-03-13T20:47:24.038Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:21.873Z",
- "name": "Permissions Request",
- "description": "System prompts triggered when an application requests new or additional permissions",
- "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:11:30.145Z",
- "name": "Command Execution",
- "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.\n\nThis data component can be collected through the following measures:\n\nEnable Command Logging\n\n- Windows:\n - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockLogging -Value 1`\n - Enable Windows Event Logging:\n - Event ID 4688: Tracks process creation, including command-line arguments.\n - Event ID 4104: Logs PowerShell script block execution.\n- Linux/macOS:\n - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='history -a; history -w'`\n - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`\n- Containers:\n - Use runtime-specific tools like Docker\u2019s --log-driver or Kubernetes Audit Logs to capture exec commands.\n\nIntegrate with Centralized Logging\n\n- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:\n`index=windows EventID=4688 CommandLine=*`\n\nUse Endpoint Detection and Response (EDR) Tools\n\n- Monitor command executions via EDR solutions \n\nDeploy Sysmon for Advanced Logging (Windows)\n\n- Use Sysmon's Event ID 1 to log process creation with command-line arguments",
- "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "modified": "2024-04-04T21:24:48.602Z",
- "name": "Scattered Spider",
- "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)",
- "aliases": [
- "Scattered Spider",
- "Roasted 0ktapus",
- "Octo Tempest",
- "Storm-0875"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_version": "2.0",
"type": "intrusion-set",
"id": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
"created": "2023-07-05T17:54:54.789Z",
@@ -16243,6 +30289,10 @@
"source_name": "Roasted 0ktapus",
"description": "(Citation: CrowdStrike Scattered Spider BYOVD January 2023)"
},
+ {
+ "source_name": "UNC3944",
+ "description": "(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)"
+ },
{
"source_name": "Octo Tempest",
"description": "(Citation: Microsoft Threat Actor Naming July 2023)"
@@ -16266,6 +30316,16 @@
"description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.",
"url": "https://www.crowdstrike.com/adversaries/scattered-spider/"
},
+ {
+ "source_name": "Mandiant VMware vSphere JUL 2025",
+ "description": "Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944"
+ },
+ {
+ "source_name": "Mandiant UNC3944 May 2025",
+ "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations"
+ },
{
"source_name": "Microsoft Threat Actor Naming July 2023",
"description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
@@ -16285,35 +30345,24 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-24T02:30:51.936Z",
+ "name": "Scattered Spider",
+ "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)",
+ "aliases": [
+ "Scattered Spider",
+ "Roasted 0ktapus",
+ "Octo Tempest",
+ "Storm-0875",
+ "UNC3944"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "3.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:10:37.873Z",
- "name": "Process Metadata",
- "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ ]
},
{
"modified": "2024-11-17T20:01:55.806Z",
@@ -16405,27 +30454,6 @@
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "created": "2023-03-13T20:47:52.557Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:22.106Z",
- "name": "System Notifications",
- "description": "Notifications generated by the OS",
- "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"modified": "2024-04-11T02:42:07.325Z",
"name": "Dark Caracal",
@@ -16466,6 +30494,171 @@
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
+ {
+ "modified": "2024-12-04T21:17:08.593Z",
+ "name": "Sandworm Team",
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)",
+ "aliases": [
+ "Sandworm Team",
+ "ELECTRUM",
+ "Telebots",
+ "IRON VIKING",
+ "BlackEnergy (Group)",
+ "Quedagh",
+ "Voodoo Bear",
+ "IRIDIUM",
+ "Seashell Blizzard",
+ "FROZENBARENTS",
+ "APT44"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "4.2",
+ "x_mitre_contributors": [
+ "Dragos Threat Intelligence",
+ "Hakan KARABACAK"
+ ],
+ "type": "intrusion-set",
+ "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "created": "2017-05-31T21:32:04.588Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G0034",
+ "external_id": "G0034"
+ },
+ {
+ "source_name": "Voodoo Bear",
+ "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ },
+ {
+ "source_name": "ELECTRUM",
+ "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)"
+ },
+ {
+ "source_name": "Sandworm Team",
+ "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ },
+ {
+ "source_name": "Quedagh",
+ "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)"
+ },
+ {
+ "source_name": "FROZENBARENTS",
+ "description": "(Citation: Leonard TAG 2023)"
+ },
+ {
+ "source_name": "APT44",
+ "description": "(Citation: mandiant_apt44_unearthing_sandworm)"
+ },
+ {
+ "source_name": "IRIDIUM",
+ "description": "(Citation: Microsoft Prestige ransomware October 2022)"
+ },
+ {
+ "source_name": "Seashell Blizzard",
+ "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+ },
+ {
+ "source_name": "BlackEnergy (Group)",
+ "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ },
+ {
+ "source_name": "Telebots",
+ "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ },
+ {
+ "source_name": "IRON VIKING",
+ "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ },
+ {
+ "source_name": "Leonard TAG 2023",
+ "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.",
+ "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"
+ },
+ {
+ "source_name": "US District Court Indictment GRU Oct 2018",
+ "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.",
+ "url": "https://www.justice.gov/opa/page/file/1098481/download"
+ },
+ {
+ "source_name": "Dragos ELECTRUM",
+ "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.",
+ "url": "https://www.dragos.com/resource/electrum/"
+ },
+ {
+ "source_name": "F-Secure BlackEnergy 2014",
+ "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
+ },
+ {
+ "source_name": "iSIGHT Sandworm 2014",
+ "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.",
+ "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
+ },
+ {
+ "source_name": "CrowdStrike VOODOO BEAR",
+ "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.",
+ "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/"
+ },
+ {
+ "source_name": "Microsoft Threat Actor Naming July 2023",
+ "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+ "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+ },
+ {
+ "source_name": "Microsoft Prestige ransomware October 2022",
+ "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"
+ },
+ {
+ "source_name": "InfoSecurity Sandworm Oct 2014",
+ "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.",
+ "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/"
+ },
+ {
+ "source_name": "NCSC Sandworm Feb 2020",
+ "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.",
+ "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"
+ },
+ {
+ "source_name": "USDOJ Sandworm Feb 2020",
+ "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.",
+ "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html"
+ },
+ {
+ "source_name": "mandiant_apt44_unearthing_sandworm",
+ "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.",
+ "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"
+ },
+ {
+ "source_name": "US District Court Indictment GRU Unit 74455 October 2020",
+ "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.",
+ "url": "https://www.justice.gov/opa/press-release/file/1328521/download"
+ },
+ {
+ "source_name": "Secureworks IRON VIKING ",
+ "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.",
+ "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"
+ },
+ {
+ "source_name": "UK NCSC Olympic Attacks October 2020",
+ "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.",
+ "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack",
+ "mobile-attack"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ },
{
"modified": "2025-03-10T20:15:06.958Z",
"name": "APT28",
@@ -16804,41 +30997,6 @@
]
},
{
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:10:27.797Z",
- "name": "Process Creation",
- "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - EDRs provide process telemetry, tracking execution flows and arguments.\n- Windows Event Logs:\n - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation): Provides detailed logging\n- Linux/macOS Monitoring:\n - AuditD (execve syscall): Logs process creation.\n - eBPF/XDP: Used for low-level monitoring of system calls related to process execution.\n - OSQuery: Allows SQL-like queries to track process events (process_events table).\n - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.\n- Network-Based Monitoring:\n - Zeek (Bro) Logs: Captures network-based process execution related to remote shells.\n - Syslog/OSSEC: Tracks execution of processes on distributed systems.\n- Behavioral SIEM Rules:\n - Monitor process creation for uncommon binaries in user directories.\n - Detect processes with suspicious command-line arguments. ",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "modified": "2024-09-16T16:18:00.876Z",
- "name": "Earth Lusca",
- "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)",
- "aliases": [
- "Earth Lusca",
- "TAG-22",
- "Charcoal Typhoon",
- "CHROMIUM",
- "ControlX"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_version": "2.0",
"type": "intrusion-set",
"id": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034",
"created": "2022-07-01T20:12:30.184Z",
@@ -16890,12 +31048,24 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-06-06T14:55:18.144Z",
+ "name": "Earth Lusca",
+ "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)",
+ "aliases": [
+ "Earth Lusca",
+ "TAG-22",
+ "Charcoal Typhoon",
+ "CHROMIUM",
+ "ControlX"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "2.1",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ ]
},
{
"type": "intrusion-set",
@@ -16959,7 +31129,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-22T21:56:33.318Z",
+ "modified": "2025-06-11T20:13:29.024Z",
"name": "APT41",
"description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n",
"aliases": [
@@ -16970,7 +31140,7 @@
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "4.1",
+ "x_mitre_version": "4.2",
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Kyaw Pyiyt Htet, @KyawPyiytHtet",
@@ -16982,27 +31152,78 @@
]
},
{
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
- "created": "2021-10-20T15:05:19.274Z",
+ "type": "intrusion-set",
+ "id": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410",
+ "created": "2024-06-14T18:17:18.727Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G1033",
+ "external_id": "G1033"
+ },
+ {
+ "source_name": "Callisto Group",
+ "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+ },
+ {
+ "source_name": "TA446",
+ "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+ },
+ {
+ "source_name": "COLDRIVER",
+ "description": "(Citation: Google TAG COLDRIVER January 2024)"
+ },
+ {
+ "source_name": "SEABORGIUM",
+ "description": "(Citation: Microsoft Star Blizzard August 2022)"
+ },
+ {
+ "source_name": "CISA Star Blizzard Advisory December 2023",
+ "description": "CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.",
+ "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a"
+ },
+ {
+ "source_name": "Microsoft Star Blizzard August 2022",
+ "description": "Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM\u2019s ongoing phishing operations. Retrieved June 13, 2024.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/"
+ },
+ {
+ "source_name": "StarBlizzard",
+ "description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"
+ },
+ {
+ "source_name": "Google TAG COLDRIVER January 2024",
+ "description": "Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.",
+ "url": "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:23.639Z",
- "name": "Network Connection Creation",
- "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
- "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
+ "modified": "2025-10-22T22:12:56.172Z",
+ "name": "Star Blizzard",
+ "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)\n",
+ "aliases": [
+ "Star Blizzard",
+ "SEABORGIUM",
+ "Callisto Group",
+ "TA446",
+ "COLDRIVER"
+ ],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Aung Kyaw Min Naing, @Nolan"
],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "mobile-attack"
+ ]
},
{
"type": "intrusion-set",
@@ -17126,154 +31347,83 @@
"x_mitre_attack_spec_version": "3.2.0"
},
{
- "modified": "2024-03-29T14:59:30.164Z",
- "name": "Application Assets",
- "description": "Additional assets included with an application",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
- "created": "2024-03-29T14:59:30.164Z",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
- "created": "2023-03-13T20:00:38.029Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:22.260Z",
- "name": "Protected Configuration",
- "description": "Device configuration options that are not typically utilized by benign applications",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "modified": "2024-12-04T21:17:08.593Z",
- "name": "Sandworm Team",
- "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)",
- "aliases": [
- "Sandworm Team",
- "ELECTRUM",
- "Telebots",
- "IRON VIKING",
- "BlackEnergy (Group)",
- "Quedagh",
- "Voodoo Bear",
- "IRIDIUM",
- "Seashell Blizzard",
- "FROZENBARENTS",
- "APT44"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_version": "4.2",
- "x_mitre_contributors": [
- "Dragos Threat Intelligence",
- "Hakan KARABACAK"
- ],
"type": "intrusion-set",
- "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
- "created": "2017-05-31T21:32:04.588Z",
+ "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "created": "2018-04-18T17:59:24.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
- "url": "https://attack.mitre.org/groups/G0034",
- "external_id": "G0034"
+ "url": "https://attack.mitre.org/groups/G0069",
+ "external_id": "G0069"
},
{
- "source_name": "Voodoo Bear",
- "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ "source_name": "MERCURY",
+ "description": "(Citation: Anomali Static Kitten February 2021)"
},
{
- "source_name": "ELECTRUM",
- "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)"
+ "source_name": "Static Kitten",
+ "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
},
{
- "source_name": "Sandworm Team",
- "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ "source_name": "TEMP.Zagros",
+ "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
},
{
- "source_name": "Quedagh",
- "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)"
- },
- {
- "source_name": "FROZENBARENTS",
- "description": "(Citation: Leonard TAG 2023)"
- },
- {
- "source_name": "APT44",
- "description": "(Citation: mandiant_apt44_unearthing_sandworm)"
- },
- {
- "source_name": "IRIDIUM",
- "description": "(Citation: Microsoft Prestige ransomware October 2022)"
- },
- {
- "source_name": "Seashell Blizzard",
+ "source_name": "Mango Sandstorm",
"description": "(Citation: Microsoft Threat Actor Naming July 2023)"
},
{
- "source_name": "BlackEnergy (Group)",
- "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ "source_name": "TA450",
+ "description": "(Citation: Proofpoint TA450 Phishing March 2024)"
},
{
- "source_name": "Telebots",
- "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ "source_name": "Seedworm",
+ "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
},
{
- "source_name": "IRON VIKING",
- "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
+ "source_name": "Earth Vetala",
+ "description": "(Citation: Trend Micro Muddy Water March 2021)"
},
{
- "source_name": "Leonard TAG 2023",
- "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.",
- "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"
+ "source_name": "MuddyWater",
+ "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)"
},
{
- "source_name": "US District Court Indictment GRU Oct 2018",
- "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.",
- "url": "https://www.justice.gov/opa/page/file/1098481/download"
+ "source_name": "ClearSky MuddyWater Nov 2018",
+ "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
},
{
- "source_name": "Dragos ELECTRUM",
- "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.",
- "url": "https://www.dragos.com/resource/electrum/"
+ "source_name": "ClearSky MuddyWater June 2019",
+ "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.",
+ "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf"
},
{
- "source_name": "F-Secure BlackEnergy 2014",
- "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
+ "source_name": "CYBERCOM Iranian Intel Cyber January 2022",
+ "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.",
+ "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
},
{
- "source_name": "iSIGHT Sandworm 2014",
- "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.",
- "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
+ "source_name": "DHS CISA AA22-055A MuddyWater February 2022",
+ "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.",
+ "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a"
},
{
- "source_name": "CrowdStrike VOODOO BEAR",
- "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.",
- "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/"
+ "source_name": "Unit 42 MuddyWater Nov 2017",
+ "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
+ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+ },
+ {
+ "source_name": "Talos MuddyWater Jan 2022",
+ "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.",
+ "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html"
+ },
+ {
+ "source_name": "Anomali Static Kitten February 2021",
+ "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.",
+ "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies"
},
{
"source_name": "Microsoft Threat Actor Naming July 2023",
@@ -17281,102 +31431,60 @@
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
},
{
- "source_name": "Microsoft Prestige ransomware October 2022",
- "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.",
- "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"
+ "source_name": "Proofpoint TA450 Phishing March 2024",
+ "description": "Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.",
+ "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign"
},
{
- "source_name": "InfoSecurity Sandworm Oct 2014",
- "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.",
- "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/"
+ "source_name": "Trend Micro Muddy Water March 2021",
+ "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.",
+ "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
},
{
- "source_name": "NCSC Sandworm Feb 2020",
- "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.",
- "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"
+ "source_name": "Reaqta MuddyWater November 2017",
+ "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.",
+ "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/"
},
{
- "source_name": "USDOJ Sandworm Feb 2020",
- "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.",
- "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html"
+ "source_name": "FireEye MuddyWater Mar 2018",
+ "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
+ "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
},
{
- "source_name": "mandiant_apt44_unearthing_sandworm",
- "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.",
- "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"
- },
- {
- "source_name": "US District Court Indictment GRU Unit 74455 October 2020",
- "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.",
- "url": "https://www.justice.gov/opa/press-release/file/1328521/download"
- },
- {
- "source_name": "Secureworks IRON VIKING ",
- "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.",
- "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"
- },
- {
- "source_name": "UK NCSC Olympic Attacks October 2020",
- "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.",
- "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"
+ "source_name": "Symantec MuddyWater Dec 2018",
+ "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
+ "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-10-22T19:08:44.552Z",
+ "name": "MuddyWater",
+ "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)",
+ "aliases": [
+ "MuddyWater",
+ "Earth Vetala",
+ "MERCURY",
+ "Static Kitten",
+ "Seedworm",
+ "TEMP.Zagros",
+ "Mango Sandstorm",
+ "TA450"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "6.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_contributors": [
+ "Ozer Sarilar, @ozersarilar, STM",
+ "Daniyal Naeem, BT Security",
+ "Marco Pedrinazzi, @pedrinazziM"
+ ],
"x_mitre_domains": [
"enterprise-attack",
- "ics-attack",
"mobile-attack"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:10:34.519Z",
- "name": "Process Termination",
- "description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor process termination events.\n- Windows Event Logs:\n - Event ID 4689 (Process Termination) \u2013 Captures when a process exits, including process ID and parent process.\n - Event ID 7036 (Service Control Manager) \u2013 Monitors system service stops.\n- Sysmon (Windows):\n - Event ID 5 (Process Termination) \u2013 Detects when a process exits, including parent-child relationships.\n- Linux/macOS Monitoring:\n - AuditD (`execve`, `exit_group`, `kill` syscalls) \u2013 Captures process termination via command-line interactions.\n - eBPF/XDP: Monitors low-level system calls related to process termination.\n - OSQuery: The processes table can be queried for abnormal exits.",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:10:31.145Z",
- "name": "OS API Execution",
- "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Leverage tools to monitor API execution behaviors at the process level.\n - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.\n- Process Monitor (ProcMon):\n - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.\n- Windows Event Logs:\n - Use Event IDs from Windows logs for specific API-related activities:\n - Event ID 4688: A new process has been created (can indirectly infer API use).\n - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).\n- Dynamic Analysis Tools:\n - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.\n- Host-Based Logs:\n - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.\n- Runtime Monitors:\n - Runtime security tools like Falco can monitor system-level calls for API execution.\n- Debugging and Tracing:\n - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
+ ]
},
{
"type": "intrusion-set",
@@ -17446,265 +31554,3420 @@
]
},
{
- "type": "x-mitre-data-source",
- "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159",
- "created": "2021-10-20T15:05:19.272Z",
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
- "url": "https://attack.mitre.org/datasources/DS0013",
- "external_id": "DS0013"
+ "url": "https://attack.mitre.org/detectionstrategies/DET0680",
+ "external_id": "DET0680"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T20:39:11.418Z",
- "name": "Sensor Health",
- "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Security Software Discovery",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS",
- "Android",
- "iOS"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "mobile-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ]
- },
- {
- "type": "x-mitre-data-source",
- "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
- "created": "2023-03-13T19:30:41.131Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/datasources/DS0041",
- "external_id": "DS0041"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:20.420Z",
- "name": "Application Vetting",
- "description": "Application vetting report generated by an external cloud service.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "mobile-attack"
- ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_collection_layers": [
- "Report"
- ]
- },
- {
- "type": "x-mitre-data-source",
- "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
- "created": "2021-10-20T15:05:19.274Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/datasources/DS0029",
- "external_id": "DS0029"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-18T15:11:13.424Z",
- "name": "Network Traffic",
- "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "IaaS",
- "Linux",
- "Windows",
- "macOS",
- "Android",
- "iOS",
- "ESXi"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)",
- "ExtraHop"
- ],
- "x_mitre_collection_layers": [
- "Cloud Control Plane",
- "Host",
- "Network"
- ]
- },
- {
- "type": "x-mitre-data-source",
- "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
- "created": "2023-03-13T19:36:25.108Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/datasources/DS0042",
- "external_id": "DS0042"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:22:20.681Z",
- "name": "User Interface",
- "description": "Visual activity on the device that could alert the user to potentially malicious behavior.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Android",
- "iOS"
- ],
- "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_domains": [
"mobile-attack"
],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2",
+ "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0657",
+ "external_id": "DET0657"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Subvert Trust Controls",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_collection_layers": [
- "Device"
- ]
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa",
+ "x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6"
+ ],
+ "x_mitre_deprecated": false
},
{
- "type": "x-mitre-data-source",
- "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
- "created": "2021-10-20T15:05:19.273Z",
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
- "url": "https://attack.mitre.org/datasources/DS0017",
- "external_id": "DS0017"
- },
- {
- "source_name": "Confluence Linux Command Line",
- "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.",
- "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html"
- },
- {
- "source_name": "Audit OSX",
- "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.",
- "url": "https://www.scip.ch/en/?labs.20150108"
+ "url": "https://attack.mitre.org/detectionstrategies/DET0640",
+ "external_id": "DET0640"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:26.880Z",
- "name": "Command",
- "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Hide Artifacts",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Containers",
- "Linux",
- "Network Devices",
- "Windows",
- "macOS",
- "Android",
- "iOS",
- "ESXi"
- ],
- "x_mitre_deprecated": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
+ "mobile-attack"
],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)",
- "Austin Clark, @c2defense"
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c"
],
- "x_mitre_collection_layers": [
- "Container",
- "Host"
- ]
+ "x_mitre_deprecated": false
},
{
- "type": "x-mitre-data-source",
- "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "created": "2021-10-20T15:05:19.272Z",
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
- "url": "https://attack.mitre.org/datasources/DS0009",
- "external_id": "DS0009"
- },
- {
- "source_name": "Microsoft Processes and Threads",
- "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.",
- "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads"
+ "url": "https://attack.mitre.org/detectionstrategies/DET0684",
+ "external_id": "DET0684"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:10:24.655Z",
- "name": "Process",
- "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Phishing",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS",
- "Android",
- "iOS",
- "ESXi"
- ],
- "x_mitre_deprecated": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
"x_mitre_domains": [
- "ics-attack",
- "mobile-attack",
- "enterprise-attack"
+ "mobile-attack"
],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec",
+ "x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3"
],
- "x_mitre_collection_layers": [
- "Host"
- ]
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0651",
+ "external_id": "DET0651"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Indicator Removal on Host",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369",
+ "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0665",
+ "external_id": "DET0665"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation for Privilege Escalation",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73",
+ "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0616",
+ "external_id": "DET0616"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Virtualization/Sandbox Evasion",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c",
+ "x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0671",
+ "external_id": "DET0671"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data Destruction",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0689",
+ "external_id": "DET0689"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Runtime API Hijacking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0638",
+ "external_id": "DET0638"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of File Deletion",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0599",
+ "external_id": "DET0599"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SMS Control",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0700",
+ "external_id": "DET0700"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Bidirectional Communication",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea",
+ "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0652",
+ "external_id": "DET0652"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Application Versioning",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c",
+ "x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0688",
+ "external_id": "DET0688"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Out of Band Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe",
+ "x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0617",
+ "external_id": "DET0617"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Dead Drop Resolver",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30",
+ "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0675",
+ "external_id": "DET0675"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Location Tracking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644",
+ "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0629",
+ "external_id": "DET0629"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation for Client Execution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff",
+ "x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0696",
+ "external_id": "DET0696"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Network Service Scanning",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f",
+ "x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0660",
+ "external_id": "DET0660"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data Manipulation",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0692",
+ "external_id": "DET0692"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Process Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba",
+ "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0656",
+ "external_id": "DET0656"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Steal Application Access Token",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5",
+ "x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0669",
+ "external_id": "DET0669"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Domain Generation Algorithms",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0",
+ "x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0630",
+ "external_id": "DET0630"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Device Administrator Permissions",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0613",
+ "external_id": "DET0613"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Dynamic Resolution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7",
+ "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0602",
+ "external_id": "DET0602"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Call Log",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a",
+ "x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0682",
+ "external_id": "DET0682"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of File and Directory Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e",
+ "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0639",
+ "external_id": "DET0639"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Network Denial of Service",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f",
+ "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0708",
+ "external_id": "DET0708"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Internet Connection Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d",
+ "x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0648",
+ "external_id": "DET0648"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Geofencing",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb",
+ "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0663",
+ "external_id": "DET0663"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation of Remote Services",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f",
+ "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0604",
+ "external_id": "DET0604"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Hardware Supply Chain",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db",
+ "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0655",
+ "external_id": "DET0655"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Command and Scripting Interpreter",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07",
+ "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0633",
+ "external_id": "DET0633"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Credentials from Password Store",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0721",
+ "external_id": "DET0721"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Software Supply Chain",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c",
+ "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0712",
+ "external_id": "DET0712"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Client Software Binary",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092",
+ "x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0716",
+ "external_id": "DET0716"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Linked Devices",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff",
+ "x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0653",
+ "external_id": "DET0653"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Execution Guardrails",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184",
+ "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0693",
+ "external_id": "DET0693"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Disable or Modify Tools",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0702",
+ "external_id": "DET0702"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Remote Device Management Services",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb",
+ "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0664",
+ "external_id": "DET0664"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Keychain",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0637",
+ "external_id": "DET0637"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Foreground Persistence",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0618",
+ "external_id": "DET0618"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Download New Code at Runtime",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f",
+ "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0691",
+ "external_id": "DET0691"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Replication Through Removable Media",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812",
+ "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0600",
+ "external_id": "DET0600"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Software Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc",
+ "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0611",
+ "external_id": "DET0611"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Access Notifications",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0612",
+ "external_id": "DET0612"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Input Injection",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0606",
+ "external_id": "DET0606"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Virtualization Solution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0701",
+ "external_id": "DET0701"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exfiltration Over Unencrypted Non-C2 Protocol",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e",
+ "x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0703",
+ "external_id": "DET0703"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Call Control",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0710",
+ "external_id": "DET0710"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Disguise Root/Jailbreak Indicators",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e",
+ "x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0619",
+ "external_id": "DET0619"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Code Signing Policy Modification",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8",
+ "x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0687",
+ "external_id": "DET0687"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Impair Defenses",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0714",
+ "external_id": "DET0714"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Suppress Application Icon",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0658",
+ "external_id": "DET0658"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SIM Card Swap",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f",
+ "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0706",
+ "external_id": "DET0706"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Non-Standard Port",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960",
+ "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0695",
+ "external_id": "DET0695"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Video Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52",
+ "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0610",
+ "external_id": "DET0610"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of One-Way Communication",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b",
+ "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0676",
+ "external_id": "DET0676"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of GUI Input Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521",
+ "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0635",
+ "external_id": "DET0635"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Accounts",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3",
+ "x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0686",
+ "external_id": "DET0686"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SMS Messages",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd",
+ "x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0628",
+ "external_id": "DET0628"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Supply Chain Compromise",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf",
+ "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0598",
+ "external_id": "DET0598"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Prevent Application Removal",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0698",
+ "external_id": "DET0698"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exfiltration Over Alternative Protocol",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782",
+ "x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0720",
+ "external_id": "DET0720"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Obfuscated Files or Information",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2",
+ "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0718",
+ "external_id": "DET0718"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Ingress Tool Transfer",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db",
+ "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0654",
+ "external_id": "DET0654"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Boot or Logon Initialization Scripts",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c",
+ "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0709",
+ "external_id": "DET0709"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Wi-Fi Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91",
+ "x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0685",
+ "external_id": "DET0685"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Application Layer Protocol",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6",
+ "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0694",
+ "external_id": "DET0694"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Hijack Execution Flow",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0668",
+ "external_id": "DET0668"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Screen Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0622",
+ "external_id": "DET0622"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Ptrace System Calls",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4",
+ "x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0707",
+ "external_id": "DET0707"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Scheduled Task/Job",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061",
+ "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0681",
+ "external_id": "DET0681"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Protected User Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd",
+ "x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0719",
+ "external_id": "DET0719"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Hooking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0666",
+ "external_id": "DET0666"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation for Initial Access",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11",
+ "x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0631",
+ "external_id": "DET0631"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Proxy Through Victim",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0650",
+ "external_id": "DET0650"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Symmetric Cryptography",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84",
+ "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0647",
+ "external_id": "DET0647"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Event Triggered Execution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0690",
+ "external_id": "DET0690"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Uninstall Malicious Application",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0715",
+ "external_id": "DET0715"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Masquerading",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07",
+ "x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0645",
+ "external_id": "DET0645"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Lockscreen Bypass",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8",
+ "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0672",
+ "external_id": "DET0672"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Web Service",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728",
+ "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0699",
+ "external_id": "DET0699"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of User Evasion",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0621",
+ "external_id": "DET0621"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Stored Application Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d",
+ "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0670",
+ "external_id": "DET0670"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Archive Collected Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466",
+ "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0713",
+ "external_id": "DET0713"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data from Local System",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a",
+ "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0636",
+ "external_id": "DET0636"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Network Connections Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0615",
+ "external_id": "DET0615"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exfiltration Over C2 Channel",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e",
+ "x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0609",
+ "external_id": "DET0609"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Match Legitimate Name or Location",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec",
+ "x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0673",
+ "external_id": "DET0673"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Audio Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202",
+ "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0644",
+ "external_id": "DET0644"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Software Packing",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2",
+ "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0625",
+ "external_id": "DET0625"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Checks",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee",
+ "x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0627",
+ "external_id": "DET0627"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Endpoint Denial of Service",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3",
+ "x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0677",
+ "external_id": "DET0677"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Steganography",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0667",
+ "external_id": "DET0667"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Asymmetric Cryptography",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c",
+ "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0614",
+ "external_id": "DET0614"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Drive-By Compromise",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64",
+ "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0641",
+ "external_id": "DET0641"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Encrypted Channel",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97",
+ "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0608",
+ "external_id": "DET0608"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Generate Traffic from Victim",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b",
+ "x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0642",
+ "external_id": "DET0642"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Abuse Elevation Control Mechanism",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0603",
+ "external_id": "DET0603"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Device Lockout",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0624",
+ "external_id": "DET0624"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Remote Access Software",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998",
+ "x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0662",
+ "external_id": "DET0662"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Impersonate SS7 Nodes",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a",
+ "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0620",
+ "external_id": "DET0620"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Web Protocols",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1",
+ "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0697",
+ "external_id": "DET0697"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Abuse Accessibility Features",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0632",
+ "external_id": "DET0632"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Process Injection",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1",
+ "x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0678",
+ "external_id": "DET0678"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data Encrypted for Impact",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0704",
+ "external_id": "DET0704"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Software Dependencies and Development Tools",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e",
+ "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0717",
+ "external_id": "DET0717"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Native API",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0646",
+ "external_id": "DET0646"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SSL Pinning",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae",
+ "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0649",
+ "external_id": "DET0649"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Application Executable",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0626",
+ "external_id": "DET0626"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of URI Hijacking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb",
+ "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0674",
+ "external_id": "DET0674"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Calendar Entries",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34",
+ "x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0661",
+ "external_id": "DET0661"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Keylogging",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86",
+ "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0705",
+ "external_id": "DET0705"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Input Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e",
+ "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0659",
+ "external_id": "DET0659"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Conceal Multimedia Files",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0601",
+ "external_id": "DET0601"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Information Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd",
+ "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0623",
+ "external_id": "DET0623"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Adversary-in-the-Middle",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82",
+ "x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0607",
+ "external_id": "DET0607"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Unix Shell",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e",
+ "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0711",
+ "external_id": "DET0711"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Broadcast Receivers",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4"
+ ],
+ "x_mitre_deprecated": false
},
{
"modified": "2024-04-19T19:35:15.637Z",
@@ -17765,6 +35028,149 @@
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0679",
+ "external_id": "DET0679"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Contact List",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2",
+ "x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0683",
+ "external_id": "DET0683"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Transmitted Data Manipulation",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0605",
+ "external_id": "DET0605"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Account Access Removal",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0643",
+ "external_id": "DET0643"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Clipboard Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6",
+ "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127"
+ ],
+ "x_mitre_deprecated": false
+ },
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0634",
+ "external_id": "DET0634"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Network Configuration Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b",
+ "x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211"
+ ],
+ "x_mitre_deprecated": false
+ },
{
"type": "relationship",
"id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a",
@@ -17815,6 +35221,56 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--00711e74-0877-4829-afc0-dfbe63901b4f",
+ "created": "2025-08-29T22:09:45.617Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:09:45.617Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--00cac496-7350-4023-b29e-42c81e3c50bd",
+ "created": "2025-09-18T14:40:18.513Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:40:18.513Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s call log.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341",
@@ -17889,6 +35345,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--01753250-4bfa-4671-bcce-0e3cf19c0ae9",
+ "created": "2025-10-08T20:21:12.056Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:21:12.056Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used the KeyguardManager API to evaluate the device\u2019s locking mechanism and the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--01965668-d033-4aca-a8e5-71a07070e266",
@@ -17921,8 +35402,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:38.112Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can remove artifacts of its presence and uninstall itself.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:56:32.839Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has removed artifacts of its presence and has the ability to uninstall itself.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
@@ -18028,6 +35509,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--024a2ca8-c0c4-456d-a9e6-5596c5569870",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413",
+ "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c",
@@ -18070,24 +35568,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--0291c9d5-8977-420d-8374-b786e3095a73",
- "created": "2023-03-20T18:49:53.204Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:39.649Z",
- "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
@@ -18204,6 +35684,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--03239f6a-a314-4ee0-81fa-006a39209b63",
+ "created": "2025-09-18T14:41:15.687Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:41:15.687Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected account names and their types from the compromised device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--0330db55-06e0-45a2-85a6-17617a37fdaf",
@@ -18272,6 +35777,57 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--0384b954-06be-4b7d-924e-39416306a844",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507",
+ "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--038bbc64-2ca7-4e63-afd5-e4484170f368",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1",
+ "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--03d0892e-94af-492f-9535-79119aa95436",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694",
@@ -18454,24 +36010,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc",
- "created": "2023-03-20T18:37:57.767Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:43.318Z",
- "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe",
@@ -18521,6 +36059,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--052576f4-0b54-44be-840d-a9c8bb7cb980",
+ "created": "2025-09-18T14:43:22.943Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:43:22.944Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected package names.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372",
@@ -18572,18 +36135,25 @@
},
{
"type": "relationship",
- "id": "relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b",
- "created": "2023-09-21T19:38:21.735Z",
+ "id": "relationship--05a0ac14-12c3-428c-9567-fecb3e29abe3",
+ "created": "2025-06-25T15:36:12.680Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:44.375Z",
- "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
- "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "modified": "2025-06-25T15:36:12.680Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has utilized foreground services by showing a notification to evade detection.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
@@ -18728,19 +36298,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:45.721Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather basic device information such as version, model, root status, and country.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:20:37.877Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to gather basic device information, such as version, model, root status, and country.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has checked the keyguard\u2019s status regarding how the device is locked (e.g. pattern, PIN or password).(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -18907,6 +36482,36 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--07ccc973-19fb-4926-953a-9ec205372683",
+ "created": "2025-07-07T21:49:15.656Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "cyble_chameleon_0423",
+ "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
+ "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:23:10.053Z",
+ "description": "After accessibility permissions are granted, [Chameleon](https://attack.mitre.org/software/S1083) has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da",
@@ -18951,21 +36556,28 @@
},
{
"type": "relationship",
- "id": "relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f",
- "created": "2023-03-20T15:55:32.395Z",
+ "id": "relationship--0803b497-5064-4b7b-9db9-4e9c37b0b8c1",
+ "created": "2025-09-18T14:44:25.729Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:47.897Z",
- "description": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36",
+ "modified": "2025-09-18T14:44:25.729Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -19042,24 +36654,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f",
- "created": "2023-03-20T18:58:33.787Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:48.746Z",
- "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8",
@@ -19355,24 +36949,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--09c6bbd4-9058-4657-9d8e-656439637ac6",
- "created": "2023-03-16T18:32:47.895Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:51.523Z",
- "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d",
@@ -19486,6 +37062,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--0ac51c46-97a5-4893-a98d-2dfab8178768",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e",
+ "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--0ae94053-1963-45ba-a3a9-62e508281c8e",
@@ -19536,6 +37129,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--0b1c0282-8190-465a-9944-0874e3ee65f6",
+ "created": "2025-09-18T14:40:36.756Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:40:36.756Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s contact list.(Citation: ZimperiumGupta_RatMilad_Oct2022)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d",
@@ -19586,24 +37204,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2",
- "created": "2023-03-20T15:28:54.837Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:53.668Z",
- "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1",
@@ -19726,24 +37326,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad",
- "created": "2023-03-20T18:55:03.385Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:54.960Z",
- "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db",
@@ -20009,24 +37591,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b",
- "created": "2023-03-20T18:41:56.287Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:57.583Z",
- "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a",
@@ -20094,6 +37658,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--0d7b3afd-51af-410c-8859-1fbe70e2e971",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73",
+ "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594",
@@ -20400,6 +37981,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--1016d630-94c2-4826-8612-cb1beac51512",
+ "created": "2025-09-18T14:44:08.887Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:44:08.887Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has used HTTP POST requests for communicating with its C2 server.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--10560632-6449-4579-90eb-20fc46dcca08",
@@ -20705,6 +38311,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--12006533-e26f-4168-9b1f-7fb3073a9938",
+ "created": "2025-09-18T14:41:37.428Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:41:37.428Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected clipboard content.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879",
@@ -20779,6 +38410,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--1245bef0-5468-4e1e-9a7e-61d4019c9137",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b",
+ "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f",
@@ -20871,24 +38519,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--12852406-87df-4892-a177-e15e81739000",
- "created": "2023-03-20T18:50:14.139Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:05.058Z",
- "description": "Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--12d14048-793c-456c-a2b8-d812de547ca7",
@@ -21004,6 +38634,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--12e68fcd-83d4-43a7-bf89-a2550ecfbed1",
+ "created": "2025-08-29T21:57:41.933Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:57:41.933Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d",
@@ -21173,18 +38828,42 @@
},
{
"type": "relationship",
- "id": "relationship--13aba849-5004-4457-9f3b-49e470b589e0",
- "created": "2023-03-20T18:43:44.617Z",
+ "id": "relationship--136edce9-2bf4-4255-8f84-b10cd9aef143",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:07.597Z",
- "description": "Application vetting services could look for connections to unknown domains or IP addresses. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+ "source_ref": "x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1",
+ "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--137ec7b1-8f78-4b03-8dec-f445800d36c1",
+ "created": "2025-06-25T15:37:16.563Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:37:16.564Z",
+ "description": "After accessibility permissions are granted, [CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
@@ -21239,6 +38918,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--140bf67b-4650-44ab-a182-3abf6de1245d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8",
+ "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
@@ -21354,6 +39050,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--146159d0-e1cb-4260-995b-d5daad26455a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3",
+ "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023",
@@ -21398,21 +39111,20 @@
},
{
"type": "relationship",
- "id": "relationship--148703c5-6d07-439c-a4ff-d77119c70857",
- "created": "2023-03-20T18:52:21.767Z",
+ "id": "relationship--15059ed8-f2d1-4e51-8b65-048fd53edf44",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:09.793Z",
- "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
- "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
+ "source_ref": "x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4",
+ "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -21563,6 +39275,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--157d2522-4fb0-4ea7-bed9-f64b3b2809b1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713",
+ "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052",
@@ -21630,6 +39359,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--1659ff92-3a84-4cc3-84dc-42dcc8a91dc4",
+ "created": "2025-10-22T21:31:22.546Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T21:31:22.546Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has captured victims' credentials through predefined fake activities.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--1687c7a0-a453-4737-a10d-c57b94d5a458",
@@ -21907,6 +39661,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--183edec4-71b8-4122-a81b-102256e5db13",
+ "created": "2025-06-16T17:28:01.768Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Cyble_Anubis_May2021",
+ "description": "Cyble. (2021, May 2). Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus. Retrieved April 24, 2025.",
+ "url": "https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-16T17:28:01.768Z",
+ "description": "After accessibility service is granted, [Anubis](https://attack.mitre.org/software/S0422) lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim\u2019s knowledge.(Citation: Cyble_Anubis_May2021) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--185764e3-b559-4a65-818e-1cad4db6d105",
@@ -22000,6 +39779,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--18aae8e4-4bdd-42c2-bde6-88d678d080c5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3",
+ "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c",
@@ -22025,6 +39821,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--18c212f3-8c21-427c-9654-ebffbf33fac7",
+ "created": "2025-06-25T15:37:37.043Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:37:37.043Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application has launched.(Citation: TrendMicro_CherryBlos_July2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c",
@@ -22204,6 +40025,74 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--1a5d49ae-de04-4b05-98d2-73f6afdda0ae",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5",
+ "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--1aa13495-1455-484a-9e9b-92b5d96be32c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e",
+ "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--1aa58b60-1a3d-4e97-918a-4553985488e8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f",
+ "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--1b53d214-9667-4dbc-8c82-1bc8d9cf4876",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657",
+ "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e",
@@ -22222,24 +40111,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee",
- "created": "2025-03-14T17:59:16.502Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:17.172Z",
- "description": "The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9",
@@ -22325,19 +40196,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:18.039Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather cookies and device logs.(Citation: cyble_chameleon_0423) ",
+ "modified": "2025-10-08T20:13:22.345Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered cookies and device logs.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -22363,6 +40239,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--1c307192-0358-4c0c-920e-0fc2d3e86889",
+ "created": "2025-10-08T20:21:32.754Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:21:32.754Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9",
@@ -22489,39 +40390,28 @@
},
{
"type": "relationship",
- "id": "relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de",
- "created": "2023-03-20T15:57:00.953Z",
+ "id": "relationship--1cf04fb7-17a6-4424-a3f2-93f1b33d19cd",
+ "created": "2025-10-08T20:14:00.607Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:19.593Z",
- "description": "The user is prompted for approval when an application requests device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+ "modified": "2025-10-08T20:14:00.607Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to control calls.(Citation: ThreatFabric_Chameleon_Dec2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b",
- "created": "2023-08-07T22:15:34.550Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:19.816Z",
- "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -22634,6 +40524,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--1e9f9600-7ba3-44ae-b704-0fc0bd6e243b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b",
+ "target_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e",
@@ -22733,6 +40640,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--1f35d6bf-c5e1-42bc-ba47-e06ee1a2e305",
+ "created": "2025-10-08T20:12:37.612Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:12:37.612Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435",
@@ -22832,24 +40764,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--1f8f0021-6992-476c-ba1c-232542dc1633",
- "created": "2023-03-20T18:58:52.857Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:22.928Z",
- "description": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd",
@@ -22882,21 +40796,20 @@
},
{
"type": "relationship",
- "id": "relationship--1fdf9c43-0237-461f-86d4-1da843078744",
- "created": "2023-09-21T19:38:49.571Z",
+ "id": "relationship--2019d384-2aef-4c50-a1a6-0db411f68ba2",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:23.359Z",
- "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
- "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "source_ref": "x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764",
+ "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -23133,6 +41046,21 @@
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
+ {
+ "source_name": "CrowdStrike Scattered Spider JUL 2025",
+ "description": " Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.",
+ "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/"
+ },
+ {
+ "source_name": "Check Point Scattered Spider JUL 2025",
+ "description": "Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025.",
+ "url": "https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/"
+ },
+ {
+ "source_name": "Mandiant UNC3944 May 2025",
+ "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations"
+ },
{
"source_name": "Mphasis SS_SIM_Swap Apr2024",
"description": "Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.",
@@ -23142,14 +41070,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:25.798Z",
- "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SIM swapping to maintain persistence on mobile carrier networks and SIM cards.(Citation: Mphasis SS_SIM_Swap Apr2024) ",
+ "modified": "2025-10-14T21:25:32.275Z",
+ "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SIM swapping to bypass MFA and to maintain persistence on mobile carrier networks and SIM cards.(Citation: Mphasis SS_SIM_Swap Apr2024)(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Check Point Scattered Spider JUL 2025)",
"relationship_type": "uses",
"source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
"target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -23310,6 +41238,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--226d2f3c-5d28-4599-9373-d3001f4c4b55",
+ "created": "2025-09-18T14:38:43.084Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:38:43.084Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6",
@@ -23488,6 +41441,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--2305ceb7-f237-42bb-9a45-e245d8f82cde",
+ "created": "2025-06-25T15:36:59.718Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:36:59.718Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has obtained a list of installed cryptocurrency wallet applications.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14",
@@ -23636,6 +41614,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--23f4525e-adc8-42bd-bcaa-0373442553aa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e",
+ "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f",
@@ -23654,6 +41649,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--2421a94b-d71a-4c37-b5b0-3e12a92d8167",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5",
+ "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--242dc659-c205-4e9e-95f9-14fee66195af",
@@ -23773,6 +41785,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--24db9a56-c868-43b7-a20c-99c6ff60ba62",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5",
+ "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48",
@@ -23814,8 +41843,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:31.749Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download HTML overlay pages after installation.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:58:08.241Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has downloaded HTML overlay pages after installation.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
@@ -24021,6 +42050,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--26a97b10-7344-4365-8169-c9ec735fda73",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc",
+ "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7",
@@ -24154,24 +42200,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--27490b14-8044-408a-8c6a-6d8427eb78ff",
- "created": "2023-03-20T18:44:26.233Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:35.083Z",
- "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9",
@@ -24288,6 +42316,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--27cb4c94-c84a-4420-b213-442e4907d8e7",
+ "created": "2025-10-08T14:37:36.242Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:37:36.242Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s contact list.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6",
@@ -24453,6 +42506,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--292ea094-7278-4f69-9bb6-64a8aaa72e33",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9",
+ "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--29357289-362c-447c-b387-9a38b50d7296",
@@ -24694,6 +42764,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--2ac927da-8d38-4529-9534-0fc93ffb2faf",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--2acc0c1a-af30-4410-976b-31148df5378d",
@@ -24787,24 +42874,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7",
- "created": "2023-03-20T18:55:33.546Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:40.646Z",
- "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22",
@@ -24832,21 +42901,37 @@
},
{
"type": "relationship",
- "id": "relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9",
- "created": "2023-03-20T18:51:07.547Z",
+ "id": "relationship--2ba3af4e-97d8-45e8-93e0-8fa857944edd",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:41.067Z",
- "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
- "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
+ "source_ref": "x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d",
+ "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--2bdb3316-10c5-4aa5-95e0-dc7c5ccae432",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69",
+ "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -24996,24 +43081,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07",
- "created": "2023-03-20T18:54:25.458Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:42.533Z",
- "description": "The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c",
@@ -25055,8 +43122,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:42.965Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:59:17.428Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has performed system checks to verify if the device is rooted or has ADB enabled; if found, [Chameleon](https://attack.mitre.org/software/S1083) will avoid execution.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
@@ -25114,6 +43181,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--2d6f830f-411c-48e5-8b7e-6d9e01244070",
+ "created": "2025-10-08T20:13:43.780Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:13:43.780Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used a SOCKS proxy.(Citation: ThreatFabric_Chameleon_Dec2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
@@ -25381,6 +43473,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--2eb063cd-c8cf-4651-b849-454a55daff76",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611",
+ "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055",
@@ -25492,6 +43601,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--2f63c5a0-db78-4f81-bbdd-46fccf06bf9c",
+ "created": "2025-08-29T21:59:48.642Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:59:48.642Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3",
@@ -25518,21 +43652,20 @@
},
{
"type": "relationship",
- "id": "relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7",
- "created": "2023-03-15T16:26:04.949Z",
+ "id": "relationship--2f97c0cb-ec84-4b5d-ac2c-c3b1c9da2142",
+ "created": "2025-09-08T16:32:57.240Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:47.221Z",
- "description": "The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+ "modified": "2025-09-08T16:32:57.240Z",
+ "relationship_type": "revoked-by",
+ "source_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -25645,24 +43778,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa",
- "created": "2023-08-07T17:12:44.013Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:48.434Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761",
@@ -25699,6 +43814,40 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--30d02956-90ed-4556-bf04-8494a6ce5f04",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5",
+ "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--30ff0aa8-7931-4a1c-880a-3e72b62bbc29",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6",
+ "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546",
@@ -25803,24 +43952,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--322d0123-ea4c-4562-a718-672952c83d05",
- "created": "2023-03-20T18:55:54.372Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:49.939Z",
- "description": "Application vetting services could look for misuse of dynamic libraries.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2",
@@ -25839,6 +43970,48 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--3237f5ff-b870-41a7-8448-6f6b387db61d",
+ "created": "2025-06-25T15:34:46.220Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:34:46.220Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has been distributed through the threat actors\u2019 Telegram group, fake TikTok and Twitter accounts, and YouTube videos.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--3255ffee-496e-4ad2-b79d-ddaff4a31eba",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d",
+ "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--3272111a-f31d-47d5-a266-1749255b5016",
@@ -25913,6 +44086,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--32a28692-0297-40b9-b853-4996cf5541ec",
+ "created": "2025-10-08T14:42:19.577Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:42:19.577Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has captured photos from the device by taking control of the camera.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494",
@@ -25961,6 +44159,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--33329d7b-aa21-4c0d-a570-5e35e2e0cc9d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b",
+ "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--3364dd33-c012-4aaf-852b-86e63bd724ac",
@@ -26174,6 +44389,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--34d5905b-486c-4ccc-969a-ef39905e9aff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34",
+ "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--34dd5c26-eec9-4288-8e53-677271d490b2",
@@ -26273,24 +44505,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--3565140f-1570-494d-9d6f-91c9203ece69",
- "created": "2023-03-20T18:52:29.821Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:54.977Z",
- "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--35927c96-7645-4ef3-b3da-e44822386a10",
@@ -26332,8 +44546,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:55.381Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can use HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:59:37.780Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
@@ -26485,39 +44699,20 @@
},
{
"type": "relationship",
- "id": "relationship--36c71b5d-e453-488c-ae63-8fb063924c27",
- "created": "2023-08-10T21:57:51.879Z",
+ "id": "relationship--36874e30-f649-4e46-a4b9-195273b6df6e",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:56.853Z",
- "description": "The user can review available call logs for irregularities, such as missing or unrecognized calls.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+ "source_ref": "x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7",
+ "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--370bf74f-7499-4d66-9626-a61926af8f84",
- "created": "2023-09-21T22:32:19.683Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:57.068Z",
- "description": "Application vetting services may detect when an application requests permissions after an application update.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -26543,6 +44738,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--3721782f-351b-430d-8667-df78ac3db541",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a",
+ "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631",
@@ -26615,6 +44827,48 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--375ead49-d7ac-4664-bd46-a266764cddc8",
+ "created": "2025-08-29T22:10:52.147Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:10:52.147Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has leveraged WebSockets for C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--37a6f20d-e739-43df-97fb-c39ae93b2725",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--37d14338-b629-4b54-b734-446789b79f6f",
@@ -26640,6 +44894,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--37ee0a2d-bf61-4d71-98a4-6a9fbf28a85c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b",
+ "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517",
@@ -26656,8 +44927,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:58.369Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can communicate over port 7242 using HTTP.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:59:58.825Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has communicated over port 7242 using HTTP.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
@@ -26955,24 +45226,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--393300c4-6852-466d-a163-1d51330fe055",
- "created": "2023-03-20T18:45:39.292Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:01.130Z",
- "description": "Mobile security products can potentially detect jailbroken devices.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a",
@@ -27000,21 +45253,20 @@
},
{
"type": "relationship",
- "id": "relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2",
- "created": "2023-03-20T19:00:26.780Z",
+ "id": "relationship--39953612-a6e4-456a-9f9c-860dc5fed10b",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:01.559Z",
- "description": "Application vetting services could potentially detect the usage of APIs intended for artifact hiding.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
+ "source_ref": "x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de",
+ "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -27036,21 +45288,28 @@
},
{
"type": "relationship",
- "id": "relationship--3a18f41d-876c-403a-80cc-47ef57ae630d",
- "created": "2023-09-25T19:53:56.034Z",
+ "id": "relationship--3a13ea43-f3d7-4b12-93fa-65eb44d02b5e",
+ "created": "2025-09-18T14:39:35.445Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:01.976Z",
- "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
+ "modified": "2025-09-18T14:39:35.445Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has exfiltrated collected data to the C2.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -27187,6 +45446,24 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--3ac8d515-8b04-4502-b0fe-b8d7d9fc410a",
+ "created": "2025-09-17T14:58:52.937Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-17T14:58:52.937Z",
+ "description": "",
+ "relationship_type": "subtechnique-of",
+ "source_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265",
@@ -27257,21 +45534,28 @@
},
{
"type": "relationship",
- "id": "relationship--3b24a287-36e1-49b9-811d-c0080147ff57",
- "created": "2023-03-20T18:41:47.754Z",
+ "id": "relationship--3b55245d-6a26-4ecd-8f2f-305f8dbd572c",
+ "created": "2025-08-29T22:06:09.103Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:04.098Z",
- "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+ "modified": "2025-08-29T22:06:09.103Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -27303,24 +45587,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--3be6ad82-722d-4699-8e3a-c1ea60018244",
- "created": "2023-03-16T13:32:55.140Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:04.537Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--3bf4b093-a1a3-48da-9236-bce9514765eb",
@@ -27543,8 +45809,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:06.482Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather device location data.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:00:11.758Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered device location data.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
@@ -27682,6 +45948,11 @@
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
+ {
+ "source_name": "Mandiant UNC3944 May 2025",
+ "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations"
+ },
{
"source_name": "MSTIC Octo Tempest Operations October 2023",
"description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.",
@@ -27691,14 +45962,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:07.770Z",
- "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)",
+ "modified": "2025-10-13T19:54:33.892Z",
+ "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Mandiant UNC3944 May 2025) ",
"relationship_type": "uses",
"source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
"target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -27726,36 +45997,42 @@
},
{
"type": "relationship",
- "id": "relationship--3d65c2b7-c907-45e1-b942-95f7d765e749",
- "created": "2023-03-20T18:53:34.056Z",
+ "id": "relationship--3dac9ed8-7b92-44fb-bf04-3f2179c37851",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:08.196Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
+ "source_ref": "x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089",
+ "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
- "id": "relationship--3db58541-3870-424d-ad74-f2b84ff87abb",
- "created": "2023-07-14T19:06:42.839Z",
+ "id": "relationship--3dc016c9-fd28-4e02-899a-8f2b54a5d2ff",
+ "created": "2025-05-19T18:26:02.873Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "GTIG_SignalAbuse_Feb2025",
+ "description": "Black, D. (2025, February 19). Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger. Retrieved April 30, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:08.492Z",
- "description": "Unexpected behavior from an application could be an indicator of masquerading.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+ "modified": "2025-05-19T18:29:46.270Z",
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the linked devices feature to connect Signal accounts on devices captured on the battlefield to adversary-controlled infrastructure for follow-on exploitation.(Citation: GTIG_SignalAbuse_Feb2025)",
+ "relationship_type": "uses",
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
@@ -27919,6 +46196,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--3e75b212-b0e2-433a-a7e2-9081a2cae056",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936",
+ "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56",
@@ -28136,24 +46430,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd",
- "created": "2023-03-20T18:43:03.117Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:12.147Z",
- "description": "Application vetting services could look for use of the accessibility service or features that typically require root access.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--3f81a680-3151-4608-b83f-550756632013",
@@ -28267,8 +46543,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:13.215Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can send stolen data over HTTP.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:00:29.252Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has sent stolen data over HTTP.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
@@ -28368,6 +46644,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--413cb53b-9cc0-4c6a-bb63-0214405a9249",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117",
+ "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151",
@@ -28418,6 +46711,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--41b72054-bb0d-40e8-b1fc-298fe0ddcb24",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19",
+ "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27",
@@ -28473,6 +46783,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--41e79691-b3b9-4d7f-9bca-c2d814090ee5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206",
+ "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4",
@@ -28520,19 +46847,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:15.528Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as other applications, such as a cryptocurrency app called \u2018CoinSpot\u2019, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423) ",
+ "modified": "2025-10-08T20:12:09.676Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as legitimate applications, such as a cryptocurrency application called \u2018CoinSpot,\u2019 the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -28651,6 +46983,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--42e5e24c-eeb3-46f3-99f1-81015cd4f34e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396",
@@ -28773,24 +47122,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a",
- "created": "2023-03-20T18:53:35.012Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:17.932Z",
- "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38",
@@ -28892,20 +47223,20 @@
{
"source_name": "Trend Micro iOS URL Hijacking",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
+ "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:19.024Z",
+ "modified": "2025-09-08T16:44:09.587Z",
"description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -28957,24 +47288,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2",
- "created": "2023-03-20T18:53:15.929Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:19.690Z",
- "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--44b63426-1ea7-456e-907b-0856e3eab0c3",
@@ -29042,6 +47355,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--45101937-578d-4782-8173-77d26e024763",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b",
+ "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--45253350-c802-4566-a72d-57d43d05fd63",
@@ -29151,6 +47481,40 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--45b2b93c-86fb-412c-b2e1-d4d267715bd5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de",
+ "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--45cd8890-fd9c-4de8-966c-20b6157d4979",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e",
+ "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb",
@@ -29293,6 +47657,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--4776d2fc-cb18-4453-8c3d-26d05728c3a8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2",
+ "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--477edf7d-cc1f-49b7-9d96-f88399808775",
@@ -29439,24 +47820,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--4897ef75-0035-4ae5-b325-de2f6b27565f",
- "created": "2023-09-21T22:31:28.428Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:24.429Z",
- "description": "Application vetting services may look for indications that the application\u2019s update includes malicious code at runtime. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74",
@@ -29481,6 +47844,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--48c9d015-70bb-4142-8f02-c492b9a2d573",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d",
+ "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee",
@@ -29573,6 +47953,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--494d08df-ad69-49c4-890a-fb8dd3025491",
+ "created": "2025-08-29T21:59:13.102Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:59:13.102Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has hooked onto the `getEnabledAccessibilityServiceList` API to return an empty list of active services, which hides [GodFather](https://attack.mitre.org/software/S1231) and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--494ece43-ebba-4519-86be-cd5c4d4dd337",
@@ -29643,8 +48048,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:26.280Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can register as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:00:48.643Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has registered as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
@@ -29677,36 +48082,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57",
- "created": "2023-03-20T18:43:49.345Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-AppLinks",
- "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
- "url": "https://developer.android.com/training/app-links/index.html"
- },
- {
- "source_name": "IETF-OAuthNativeApps",
- "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
- "url": "https://tools.ietf.org/html/rfc8252"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:26.704Z",
- "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5",
@@ -29831,24 +48206,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d",
- "created": "2023-03-16T18:28:40.419Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:27.979Z",
- "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257",
@@ -30124,6 +48481,24 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--4bfd9b27-243b-46f7-927a-babc76db65d2",
+ "created": "2025-06-16T17:27:19.466Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-16T17:27:19.466Z",
+ "description": "First, users should be wary of clicking on suspicious text messages, links and emails. Secondly, users should be wary of granting applications accessibility features. Users may check applications that have been granted accessibility features by going to Settings, then Accessibility. Finally, users should be wary of downloading applications; although applications may be on the Google Play Store, they may not be benign (see [Application Versioning](https://attack.mitre.org/techniques/T1661)). ",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--4c035760-9bf2-40cd-87d1-f286afd76376",
@@ -30149,6 +48524,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--4c363f2c-5d7a-4a9f-9fb5-684b530122f0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9",
+ "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11",
@@ -30249,24 +48641,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1",
- "created": "2023-03-20T15:16:19.428Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:31.575Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3",
@@ -31436,24 +49810,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48",
- "created": "2023-03-16T18:37:55.715Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:41.977Z",
- "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa",
@@ -31472,6 +49828,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--52765114-6cad-4c2c-8e4d-7ccc880cee7d",
+ "created": "2025-08-29T22:04:11.515Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:04:11.515Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `WRITE_EXTERNAL_STORAGE` permission to delete files in the device\u2019s external storage.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c",
@@ -31544,6 +49925,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--53044fc0-9bab-46c7-99a3-428ab1795505",
+ "created": "2025-08-29T22:01:51.078Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:01:51.078Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `Read_SMS` permission to access SMS messages.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--53364899-1ea5-47fa-afde-c210aed64120",
@@ -31658,21 +50064,62 @@
},
{
"type": "relationship",
- "id": "relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d",
- "created": "2023-03-20T18:38:36.873Z",
+ "id": "relationship--536c84cc-6700-4eef-916f-2ddcc0518770",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:43.889Z",
- "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "source_ref": "x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48",
+ "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--53aa0360-fbe6-4007-887c-a9e5ddadea74",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532",
+ "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--53c19d17-7109-4394-9c38-7a7514cddd0a",
+ "created": "2025-10-08T14:40:59.584Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:40:59.584Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected location data.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -31919,6 +50366,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--558ec1f4-a4ba-461f-b8aa-403f07ea3431",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5",
+ "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15",
@@ -31993,6 +50457,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--5603f2f4-cb1a-4cf2-ac59-bb29e07e20cf",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d",
+ "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--5619e263-d48c-47a5-ab68-8677fe080a15",
@@ -32036,24 +50517,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--56758bb5-230e-43ac-9851-167c296c3dfa",
- "created": "2023-03-20T18:38:27.730Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:47.474Z",
- "description": "During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--56816b86-3c80-429b-8360-7b4e77538c97",
@@ -32257,24 +50720,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7",
- "created": "2023-03-20T18:57:42.922Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:49.332Z",
- "description": "Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--57881f4b-8463-430c-912a-0e3c961e7784",
@@ -32325,24 +50770,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--57a5ae72-6932-45e6-83f2-609943902b35",
- "created": "2023-03-20T18:50:33.248Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:49.967Z",
- "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791",
@@ -32386,6 +50813,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--57f7fa9e-26c4-4cbf-a932-71d45e24da43",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f",
+ "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--583720d0-8b15-4662-822e-bb40bc1df940",
@@ -32411,6 +50855,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--58652c88-178b-4b96-bad6-c542c7948929",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b",
+ "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72",
@@ -32485,24 +50946,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--592331d2-60a7-4264-b844-fbeb89b6386c",
- "created": "2023-03-20T18:58:56.942Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:51.460Z",
- "description": "The user can view the default SMS handler in system settings.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2",
@@ -32597,21 +51040,28 @@
},
{
"type": "relationship",
- "id": "relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc",
- "created": "2023-03-20T18:14:50.401Z",
+ "id": "relationship--59bd2521-3df2-49f1-afb7-ee78995740dc",
+ "created": "2025-09-18T14:42:55.159Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:52.520Z",
- "description": "Mobile security products can use attestation to detect compromised devices.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9",
+ "modified": "2025-09-18T14:42:55.159Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has used a fake application to request permissions and to download itself.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -32830,24 +51280,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f",
- "created": "2023-03-20T15:56:34.418Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:54.649Z",
- "description": "Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a",
@@ -32965,24 +51397,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--5b04c8d0-c026-4838-9383-e4146de36d4d",
- "created": "2023-03-16T18:33:19.941Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:55.869Z",
- "description": "Application vetting services could detect usage of standard clipboard APIs.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--5b235ed4-548d-49f2-ae01-1874666e6747",
@@ -33163,24 +51577,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9",
- "created": "2023-08-23T22:50:55.591Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:57.599Z",
- "description": "Application vetting services may detect API calls to `performGlobalAction(int)`. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c",
@@ -33205,24 +51601,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf",
- "created": "2023-03-20T15:46:49.646Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:58.017Z",
- "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a",
@@ -33323,21 +51701,20 @@
},
{
"type": "relationship",
- "id": "relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f",
- "created": "2023-03-20T18:43:14.051Z",
+ "id": "relationship--5d00e3bf-dca3-4bd5-b54d-00d361cf3621",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:59.093Z",
- "description": "The user can see a list of applications that can use accessibility services in the device settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+ "source_ref": "x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b",
+ "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -33550,18 +51927,42 @@
},
{
"type": "relationship",
- "id": "relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2",
- "created": "2023-03-20T18:59:57.364Z",
+ "id": "relationship--5f8d6d22-b2a9-430b-bece-d6846c89b49b",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:01.259Z",
- "description": "The user can examine the list of all installed applications in the device settings. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
+ "source_ref": "x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75",
+ "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--5fadf570-afe5-44eb-9034-45905a28b8d8",
+ "created": "2025-05-19T18:26:28.765Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MSTI_StarBlizzard_Jan2025",
+ "description": "Microsoft Threat Intelligence. (2025, January 16). New Star Blizzard spear-phishing campaign targets WhatsApp accounts. Retrieved May 2, 2025.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-05-19T18:28:36.712Z",
+ "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) has used the linked devices feature to connect WhatsApp accounts to adversary-controlled infrastructure and/or the WhatsApp Web portal for message exfiltration.(Citation: MSTI_StarBlizzard_Jan2025)",
+ "relationship_type": "uses",
+ "source_ref": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
@@ -33596,42 +51997,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1",
- "created": "2023-03-15T16:24:12.588Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:01.672Z",
- "description": "Application vetting services can detect when an application requests administrator permission.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24",
- "created": "2023-03-15T16:40:37.553Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:01.873Z",
- "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
- "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--60439118-3ceb-490b-9df5-e35e7fca9009",
@@ -33764,21 +52129,20 @@
},
{
"type": "relationship",
- "id": "relationship--609ec9f8-f702-444b-b837-72a0880d429b",
- "created": "2023-09-22T19:17:01.704Z",
+ "id": "relationship--60954386-50d8-413b-b673-c305f99be0e3",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:03.127Z",
- "description": "The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+ "source_ref": "x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -33879,6 +52243,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--60eb0917-7f98-46c5-a677-3234a21dc00a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3",
@@ -34002,6 +52383,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--61e27ee2-ef0a-43b9-8e58-e8703654bc25",
+ "created": "2025-08-29T22:03:08.447Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:03:08.447Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `RECORD_AUDIO` permission to record audio with the microphone.(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544",
@@ -34045,24 +52451,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213",
- "created": "2023-03-20T15:32:36.972Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:05.752Z",
- "description": "Application vetting services can detect malicious code in applications.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d",
@@ -34139,8 +52527,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:06.578Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can read the name of application packages.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:01:01.200Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has read the name of application packages.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
@@ -34247,33 +52635,28 @@
},
{
"type": "relationship",
- "id": "relationship--64489abc-5c2f-4620-833d-9ac010040955",
- "created": "2023-08-14T16:19:54.684Z",
+ "id": "relationship--642ae344-57b0-4fb4-aa40-43112b484bbc",
+ "created": "2025-08-29T22:02:12.326Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
- "source_name": "unit42_strat_aged_domain_det",
- "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
- "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
- },
- {
- "source_name": "Data Driven Security DGA",
- "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
- "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:07.649Z",
- "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
+ "modified": "2025-08-29T22:02:12.326Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s contact list.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -34300,6 +52683,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--64a55364-3ad1-40e8-92a2-58a7a71a18c9",
+ "created": "2025-06-25T15:37:54.563Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:37:54.563Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65",
@@ -34437,8 +52845,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:09.125Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather SMS messages.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:01:17.043Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered SMS messages.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
@@ -34506,19 +52914,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:09.807Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:22:17.600Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has performed overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has launched overlay attacks through the \u201cInjection\u201d activity.(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -34637,6 +53050,36 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--66be8672-6075-4309-b287-c9b81249f610",
+ "created": "2025-08-29T22:11:23.343Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:11:23.343Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has exfiltrated sensitive information over C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42",
@@ -34661,24 +53104,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--66fb8a34-9d48-4599-a56e-19b057380030",
- "created": "2023-03-20T18:46:08.304Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:11.315Z",
- "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--6701f90c-6fce-4f7b-a785-a585601d366a",
@@ -34803,24 +53228,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--681161b2-4e30-4d49-8524-6cc0d94585cb",
- "created": "2023-03-16T13:33:26.925Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:12.572Z",
- "description": "Many properly configured firewalls may naturally block bidirectional command and control traffic.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
- "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c",
@@ -34839,6 +53246,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--68267f97-b22e-4cd5-a417-0771a1741a32",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31",
+ "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--6846dc09-b66a-42d3-aea2-c80b51f22952",
@@ -35307,31 +53731,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e",
- "created": "2023-03-16T18:26:45.940Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-VerifiedBoot",
- "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
- "url": "https://source.android.com/security/verifiedboot/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:16.980Z",
- "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--6a715733-cde6-4903-b967-35562b584c6f",
@@ -35465,6 +53864,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--6aa306e2-36f3-4cce-aba1-c9a4624e8a59",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f",
+ "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e",
@@ -35607,6 +54023,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--6b7783d9-415c-4134-b984-b7dac929c59d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b",
+ "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696",
@@ -35767,24 +54200,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd",
- "created": "2023-08-07T22:48:30.275Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:21.032Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e",
@@ -35857,6 +54272,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--6d0c1fb2-095f-4cd7-9594-0299823e3b0e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67",
+ "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--6d2c7743-fc75-4524-b217-13867ca1dd10",
@@ -35994,24 +54426,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108",
- "created": "2023-03-20T18:57:17.059Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:22.920Z",
- "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--6dada572-9e79-4835-9f8c-fcb6a94947af",
@@ -36161,24 +54575,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a",
- "created": "2023-03-20T18:44:36.073Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:24.260Z",
- "description": "The user can view and manage installed third-party keyboards.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3",
@@ -36277,6 +54673,48 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--6f8ae8db-9657-45d9-bad8-5aef68644e76",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290",
+ "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--6f96e9f0-1054-40f5-a8f9-3f926624752d",
+ "created": "2025-08-29T22:01:00.191Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:01:00.191Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling itself.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c",
@@ -36376,6 +54814,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--70215e99-74e2-4a6a-999a-76507c20a82d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23",
+ "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30",
@@ -36785,6 +55240,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--72bb936a-a255-4823-9675-b39c7e19873c",
+ "created": "2025-08-29T21:58:46.849Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:58:46.849Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--732ca9b5-961d-4734-9f8d-339078457457",
@@ -36859,31 +55339,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--73d22490-4043-42d7-ad25-74e4a642bf6a",
- "created": "2023-03-20T18:41:45.186Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "CSRIC5-WG10-FinalReport",
- "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
- "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:30.417Z",
- "description": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
- "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3",
@@ -36927,24 +55382,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--74080f4f-1de2-464f-8ec1-0635fc142273",
- "created": "2023-08-08T16:23:41.141Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:31.040Z",
- "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8",
@@ -36994,42 +55431,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed",
- "created": "2023-03-20T18:58:56.347Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:31.664Z",
- "description": "Application vetting services can detect unnecessary and potentially abused location permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba",
- "created": "2023-09-22T19:15:56.498Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:31.870Z",
- "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69",
@@ -37097,36 +55498,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6",
- "created": "2023-03-16T13:31:29.822Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android Privacy Indicators",
- "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
- "url": "https://source.android.com/devices/tech/config/privacy-indicators"
- },
- {
- "source_name": "iOS Mic Spyware",
- "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
- "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:32.694Z",
- "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78",
@@ -37236,19 +55607,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:33.722Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:23:56.915Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has logged keystrokes of an infected device.(Citation: cyble_chameleon_0423) Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has stolen PINs, passwords and graphical keys through keylogging functionalities.(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -37349,24 +55725,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce",
- "created": "2023-09-22T19:16:35.609Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:34.789Z",
- "description": "The user is prompted for approval when an application requests device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847",
@@ -37409,6 +55767,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--76abec4d-469b-4f99-8c8d-625adca37702",
+ "created": "2025-10-08T14:41:20.204Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:41:20.204Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has captured audio from the device by taking control of the microphone.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--76cc66f4-ce85-4873-a63e-879b4a14a540",
@@ -37461,21 +55844,21 @@
},
{
"type": "relationship",
- "id": "relationship--7793a066-d72b-4a60-9579-e16369ea7185",
- "created": "2023-03-20T18:57:55.221Z",
+ "id": "relationship--77740738-9796-4991-8898-dc2ba10c9c25",
+ "created": "2025-09-17T15:30:01.512Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:35.870Z",
- "description": "The user can view a list of apps with accessibility service privileges in the device settings.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+ "modified": "2025-09-17T15:30:01.513Z",
+ "description": "OS feature updates often enhance security and privacy around permissions. ",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -37906,6 +56289,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--7a06bcec-4d1a-4b50-89f8-36f145512050",
+ "created": "2025-10-08T20:12:59.696Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:12:59.696Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has captured the device\u2019s screen.(Citation: ThreatFabric_Chameleon_Dec2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e",
@@ -38003,6 +56411,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--7ae22228-126b-4661-b378-6cdc0b90f35d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc",
+ "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
@@ -38236,6 +56661,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--7bb81707-5a6b-4332-8c32-4af208db7ae1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19",
+ "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e",
@@ -38410,6 +56852,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--7caf7bf7-7b53-4e5c-8c18-db8d6698e421",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858",
+ "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562",
@@ -38503,24 +56962,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62",
- "created": "2023-03-20T18:57:14.194Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:45.216Z",
- "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
- "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f",
@@ -38613,24 +57054,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--7e8956e3-7d90-412d-a82f-d61e43239923",
- "created": "2023-03-20T18:44:01.387Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:46.272Z",
- "description": "Application vetting services may indicate precisely what content was requested during application execution.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad",
@@ -38925,6 +57348,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--80fecb31-36e5-41e7-8064-15ccd22dbe8a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a",
+ "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d",
@@ -38955,6 +57395,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--8128aebb-c665-4939-9615-aee9125b6373",
+ "created": "2025-08-29T22:05:18.786Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T14:31:22.774Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted and recorded sensitive information from the application to include user credentials. [GodFather](https://attack.mitre.org/software/S1231) has also leveraged a deceptive overlay that tricks users into submitting their device lock credentials which are captured.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--81722aad-f503-4a74-91d5-1843adf8a995",
@@ -38966,19 +57431,49 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:49.378Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can prevent application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:17:26.651Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has prevented application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--817d1e5f-5795-4189-81dc-bf90476e7adc",
+ "created": "2025-10-22T21:26:05.954Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T21:26:05.954Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has sent the victim back to the home screen when the victim navigates to the malicious application's settings and has automatically approved any permission requests by clicking on the \"Allow\" button when a system dialogue appears.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -39069,24 +57564,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416",
- "created": "2023-03-20T18:52:56.247Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:50.263Z",
- "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f",
@@ -39161,24 +57638,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--8244700e-6f96-463a-a9c3-810c489a2c60",
- "created": "2023-03-20T15:20:24.554Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:51.107Z",
- "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--82555171-8b78-40f3-84d9-058359ae808a",
@@ -39289,31 +57748,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--82b58c75-239e-4dac-b848-bc1f3354adc4",
- "created": "2023-03-20T18:41:18.288Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Samsung Knox Mobile Threat Defense",
- "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
- "url": "https://partner.samsungknox.com/mtd"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:52.408Z",
- "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--82e93a9e-6968-497f-8043-a08d0f35bd32",
@@ -40075,24 +58509,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--886849fc-f83c-4d69-b700-bfad0def765d",
- "created": "2023-03-16T18:32:30.054Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:59.268Z",
- "description": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--8870c211-820a-46a1-96fc-02f4e6eaec03",
@@ -40268,24 +58684,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d",
- "created": "2023-03-20T15:55:09.279Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:01.137Z",
- "description": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05",
@@ -40553,21 +58951,28 @@
},
{
"type": "relationship",
- "id": "relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090",
- "created": "2023-03-20T18:58:30.773Z",
+ "id": "relationship--8b9c56b9-0807-4ce7-ad81-428aaf0e925b",
+ "created": "2025-09-18T14:41:56.525Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:03.724Z",
- "description": "On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+ "modified": "2025-09-18T14:41:56.525Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected the device\u2019s last known location.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -40649,24 +59054,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--8c034c66-18ad-4b30-9f17-ed574c10918f",
- "created": "2023-03-20T18:56:20.203Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:04.534Z",
- "description": "The user can view permissions granted to an application in device settings. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91",
@@ -40717,6 +59104,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--8c5b7bb2-e431-4dcd-a27c-ea9101086a9f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6",
+ "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--8c656539-aa1e-42db-9016-d38f1daaae16",
@@ -40742,24 +59146,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--8c7598a6-6046-491d-99a7-52c31974a9a9",
- "created": "2023-03-20T18:57:40.504Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:05.426Z",
- "description": "Application vetting services could look for misuse of dynamic libraries.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e",
@@ -40933,24 +59319,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--8dc4b237-e466-4a3d-9d28-896f1389996d",
- "created": "2025-02-12T15:22:36.181Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:07.134Z",
- "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b",
@@ -41092,6 +59460,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--8f15a917-d5e6-4ce3-ab3f-9fe72311f699",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985",
+ "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8",
@@ -41171,6 +59556,24 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--8f478d97-f163-4476-b5b6-c2ff4b6389a7",
+ "created": "2025-05-19T18:25:30.412Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-05-19T18:25:30.412Z",
+ "description": "For Android devices, users should be advised to enable Google Play Protect, which checks the device itself and the applications for malicious behavior. For iOS devices, users who are concerned about being targeted should consider enabling Lockdown Mode, which provides extreme protection of the device as well as data stored and transmitted. \nIn general, users should be advised against scanning QR codes and/or clicking on suspicious links or text messages, which may masquerade as device-linking instructions by Signal or WhatsApp.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68",
@@ -41345,6 +59748,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--904221c2-2486-4e0b-905f-5327ee299097",
+ "created": "2025-09-18T14:39:57.218Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:39:57.218Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected device information such as model, brand, buildId, Android version and manufacturer.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a",
@@ -41499,6 +59927,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--918b985b-8731-4fc6-a505-4e070e7fca3b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3",
+ "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--919a13bc-74be-4660-af63-454abee92635",
@@ -41523,31 +59968,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--91a4924f-2519-4662-91f2-b7ef715a459f",
- "created": "2023-03-20T18:59:55.756Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Samsung Knox Mobile Threat Defense",
- "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
- "url": "https://partner.samsungknox.com/mtd"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:12.427Z",
- "description": "Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd",
@@ -41622,6 +60042,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--920be05e-3d07-4e69-b28d-d8669cf43fd7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5",
+ "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e",
@@ -41738,6 +60175,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--930c3a54-e728-41e8-8f5b-6dd3408de343",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a",
+ "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0",
@@ -42064,6 +60518,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--947abdad-2978-420e-abb5-8c8cf30fb291",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3",
+ "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f",
@@ -42174,6 +60645,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--9565144c-46b3-4b15-96ba-21cc0dc6d7fd",
+ "created": "2025-10-08T14:38:02.412Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:38:02.412Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--95725b00-f40e-4a3a-af2a-92156595cd37",
@@ -42423,24 +60919,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--97408547-bacd-4308-a8be-556e9ff04951",
- "created": "2023-03-20T18:55:23.628Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:20.364Z",
- "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60",
@@ -42465,6 +60943,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--974e07a2-1156-451e-b4f6-f9e77352fece",
+ "created": "2025-10-08T14:42:56.875Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:42:56.875Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has uploaded collected data to a Secure File Transfer Protocol (SFTP) server.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--97738857-d496-4d39-9809-1921e0ad10b7",
@@ -42489,6 +60992,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--97ecb268-d1cd-48b2-a50e-9d7eac38602b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f",
+ "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--980430c1-6173-440e-b75e-c1cdb4c41560",
@@ -42594,6 +61114,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--982ca7e3-e5bd-4b06-8cf9-54435ef74f52",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb",
+ "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--98360714-5239-442f-9619-d562b4b7ce76",
@@ -42800,21 +61337,20 @@
},
{
"type": "relationship",
- "id": "relationship--98fb2884-c912-42ff-9c87-4fbabfa70115",
- "created": "2023-08-08T16:14:01.661Z",
+ "id": "relationship--98f16b87-2caf-48cc-a6fc-41554ed8bf9d",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:23.460Z",
- "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+ "source_ref": "x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070",
+ "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -42890,6 +61426,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--998f03cf-7dbe-45b4-9103-a26d5b0383c7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203",
+ "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f",
@@ -43015,24 +61568,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--9b56528f-cf04-4d81-80ee-7bacb862383a",
- "created": "2023-03-20T18:57:33.693Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:25.266Z",
- "description": "Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78",
@@ -43058,24 +61593,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--9b8b51fb-c380-4516-b109-821f015506d4",
- "created": "2023-03-20T15:40:26.994Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:25.682Z",
- "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--9bbfa759-5555-4048-a79d-fed27a1efd93",
@@ -43101,24 +61618,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d",
- "created": "2025-03-14T17:58:40.269Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:26.080Z",
- "description": "Application vetting services can look for applications that request permissions to Accessibility services or application overlay. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d",
@@ -43278,42 +61777,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2",
- "created": "2023-03-20T18:50:32.580Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:27.672Z",
- "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e",
- "created": "2023-03-20T18:52:52.011Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:27.872Z",
- "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856",
@@ -43363,24 +61826,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7",
- "created": "2023-03-20T18:48:56.995Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:28.468Z",
- "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de",
@@ -43528,21 +61973,70 @@
},
{
"type": "relationship",
- "id": "relationship--9e95ef68-0650-49eb-888f-47c211481be9",
- "created": "2023-03-20T18:51:40.217Z",
+ "id": "relationship--9e77cf7d-41f2-41da-8bc3-491083a11d80",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:29.844Z",
- "description": "Application vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
+ "source_ref": "x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb",
+ "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--9f617f18-5b84-4fcd-a7e3-0e0d67a86192",
+ "created": "2025-08-29T22:02:34.795Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:02:34.795Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s current cellular network information, including the phone number and the serial number.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--9f822445-67ed-41b4-ac55-a75940b5b9f6",
+ "created": "2025-08-29T22:10:06.592Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:10:06.592Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has utilized a timer to initiate a WebSocket connection.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -43619,6 +62113,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--9fabea31-9394-44a5-8641-ab5bcce07bb3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f",
+ "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5",
@@ -43644,24 +62155,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--9fdc5fee-2250-4894-8333-466910023533",
- "created": "2024-02-20T23:42:43.674Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:30.862Z",
- "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f",
@@ -43921,14 +62414,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:33.059Z",
+ "modified": "2025-09-05T14:31:01.650Z",
"description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the call log.(Citation: threatpost AndroidSpyware 2020)",
"relationship_type": "uses",
"source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
- "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -44004,6 +62497,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--a1beac5f-7582-46b6-8e20-7d42797cc632",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac",
+ "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f",
@@ -44278,36 +62788,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a",
- "created": "2023-03-20T18:53:52.174Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-AppLinks",
- "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
- "url": "https://developer.android.com/training/app-links/index.html"
- },
- {
- "source_name": "IETF-OAuthNativeApps",
- "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
- "url": "https://tools.ietf.org/html/rfc8252"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:36.174Z",
- "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--a285f343-09c3-49af-9c18-1dccf89e9009",
@@ -44439,6 +62919,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--a2ec4e16-8bc8-4fbf-a71d-d6356fbfc1c5",
+ "created": "2025-09-18T14:40:56.210Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:40:56.210Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.(Citation: ZimperiumGupta_RatMilad_Oct2022)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1",
@@ -44759,6 +63264,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--a501ed56-2ae3-4dde-99db-a00ced43c05a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a",
+ "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a",
@@ -44834,42 +63356,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e",
- "created": "2023-12-05T22:15:36.939Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:40.639Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--a5b37f26-7629-4195-9536-12e349e5843b",
- "created": "2023-03-20T18:51:04.334Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:40.830Z",
- "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b",
@@ -44919,24 +63405,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b",
- "created": "2023-03-20T18:59:46.622Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:41.425Z",
- "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--a609b20b-6955-4c59-84d4-a3496d95fba1",
@@ -45134,24 +63602,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360",
- "created": "2023-08-08T22:50:32.635Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:43.270Z",
- "description": "The user can view applications that have registered accessibility services in the accessibility menu within the device settings.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d",
@@ -45177,6 +63627,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--a7c55178-6b02-4cae-b4fb-a664ac7d528e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78",
+ "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c",
@@ -45572,6 +64039,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--aa15a167-4c7d-4e69-8c51-5414997ac4e5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550",
+ "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0",
@@ -45849,24 +64333,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--ab18ee61-f94a-411c-9893-941714ce713e",
- "created": "2023-03-20T18:44:26.642Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:49.152Z",
- "description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920",
@@ -45953,24 +64419,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783",
- "created": "2023-03-20T18:55:51.580Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:50.159Z",
- "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f",
@@ -46005,8 +64453,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:50.570Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download new code at runtime.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:04:27.524Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to download new code at runtime.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
@@ -46059,6 +64507,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--ad1cd55e-10a7-4895-bc76-160e2de319cf",
+ "created": "2025-10-08T14:40:37.217Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:40:37.217Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected files of interest on the device, including WhatsApp files.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c",
@@ -46201,6 +64674,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--ade33114-0204-49af-95c0-988e39e68989",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22",
+ "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee",
@@ -46226,24 +64716,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025",
- "created": "2024-03-29T15:07:01.237Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:52.568Z",
- "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
- "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--ae8619a9-9142-4f0f-8778-09756341b472",
@@ -46287,6 +64759,40 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--aed2ecd1-999d-485e-a43c-a1b2965de981",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--aed8e8c8-ffea-4134-9951-bdc5bfccbb03",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e",
+ "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415",
@@ -46305,24 +64811,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--af06eaaa-161e-4913-8668-49bdd25b2eff",
- "created": "2024-02-21T20:47:45.488Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:53.366Z",
- "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f",
@@ -46535,6 +65023,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--b0a5a5e8-3815-48eb-bceb-d24ca84417b5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c",
@@ -46585,6 +65090,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--b0d88891-f927-482e-980a-83d5512b1ae8",
+ "created": "2025-08-29T22:15:24.225Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:15:24.225Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee",
@@ -46665,6 +65195,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--b14a1e23-e1ce-46ec-b4f2-414a13a8b6a7",
+ "created": "2025-10-08T20:24:14.897Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:24:14.898Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, [Chameleon](https://attack.mitre.org/software/S1083) will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3",
@@ -47046,24 +65601,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7",
- "created": "2023-03-20T15:33:34.181Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:59.476Z",
- "description": "System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab",
@@ -47448,6 +65985,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--b59b2f10-942b-455e-8166-1c9acb4b6824",
+ "created": "2025-09-18T14:43:44.037Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:43:44.037Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has taken photos and videos using the device\u2019s camera.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070",
@@ -47497,24 +66059,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--b610c587-576a-40cc-9f76-6362455c8ff4",
- "created": "2023-03-20T18:43:01.334Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:03.373Z",
- "description": "Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--b6323cf4-8141-4910-8743-e42cd15b49e9",
@@ -47613,24 +66157,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--b697a198-8949-43e0-b2b8-23498373c920",
- "created": "2023-03-20T18:37:13.628Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:04.385Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34",
@@ -47907,6 +66433,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--b9330b2b-10cb-401a-8264-c6a0a1f44882",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072",
+ "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98",
@@ -48122,21 +66665,20 @@
},
{
"type": "relationship",
- "id": "relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf",
- "created": "2023-08-09T14:38:34.721Z",
+ "id": "relationship--bae8eb3a-d11c-4a18-82a9-d3657dfa1b85",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:08.819Z",
- "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "source_ref": "x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179",
+ "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -48162,24 +66704,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf",
- "created": "2023-03-20T18:59:14.759Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:09.234Z",
- "description": "Application vetting services can detect unnecessary and potentially abused API calls.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630",
@@ -48254,6 +66778,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--bb6e0232-8205-4ae8-80a8-659d33056ac8",
+ "created": "2025-10-22T21:37:29.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T21:37:29.274Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387",
@@ -48426,24 +66975,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2",
- "created": "2023-03-20T18:51:44.864Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:11.511Z",
- "description": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
@@ -48470,39 +67001,28 @@
},
{
"type": "relationship",
- "id": "relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1",
- "created": "2023-08-14T16:31:37.179Z",
+ "id": "relationship--bc656065-d207-456e-a343-ea778ece5f69",
+ "created": "2025-08-29T22:00:15.784Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:11.920Z",
- "description": "Many properly configured firewalls may naturally block command and control traffic.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
- "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
+ "modified": "2025-08-29T22:00:15.784Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling [GodFather](https://attack.mitre.org/software/S1231), to exfiltrate Google Authenticator one-time passwords and to steal credentials.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--bc79a212-139f-4dce-be72-e90585f38f03",
- "created": "2023-03-16T18:31:37.091Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:12.115Z",
- "description": "The user can view their default phone app in device settings.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -48688,6 +67208,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--bd696eda-b2a2-4114-9e6b-b9e9ce5d2de7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90",
+ "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9",
@@ -48755,24 +67292,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf",
- "created": "2023-03-16T18:28:28.144Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:14.552Z",
- "description": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f",
@@ -48791,6 +67310,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--be05e26b-4c1c-4c64-9d84-c8835e0b37b4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967",
+ "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--be07d829-9a12-4d90-ad8c-9e56782af120",
@@ -48961,24 +67497,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--be7c3f83-b164-4d53-bfac-65f7437dabec",
- "created": "2023-03-20T18:54:36.266Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:16.372Z",
- "description": "The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137",
@@ -49242,24 +67760,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--bfad064a-0a49-44e3-b283-94653edc12af",
- "created": "2023-08-07T17:13:04.270Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:18.776Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962",
@@ -49280,39 +67780,28 @@
},
{
"type": "relationship",
- "id": "relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0",
- "created": "2023-03-15T16:39:32.117Z",
+ "id": "relationship--c0121974-44ba-425d-9445-2d6598a5bc66",
+ "created": "2025-08-29T21:56:42.565Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:19.170Z",
- "description": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
- "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+ "modified": "2025-09-12T20:59:15.937Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the Accessibility Service to mimic victims\u2019 actions and to redirect victims to its StubActivity when the victims attempt to use the original, legitimate banking application.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--c00031dd-0466-4fd2-9724-ab1c04232bad",
- "created": "2023-03-20T18:44:40.722Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:19.380Z",
- "description": "Application vetting services can detect unnecessary and potentially abused API calls.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -49331,6 +67820,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c04d6143-6878-47b4-8be7-b205c3942b1d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae",
+ "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e",
@@ -49396,6 +67902,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c0d2e769-fb30-4aba-a39d-875e6926513a",
+ "created": "2025-09-18T14:39:15.185Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:39:15.185Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has deleted files on the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c0f03d23-03d6-4457-b783-792d1b8f2994",
@@ -49421,6 +67952,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c130e347-38ab-48fd-8779-946477e53dfa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa",
+ "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c",
@@ -49482,6 +68030,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c15acd70-6527-4788-baa9-51a11b996164",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4",
+ "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c16c7904-3c85-49de-a0f4-872f4227d775",
@@ -49582,42 +68147,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd",
- "created": "2023-03-20T15:40:11.819Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:21.785Z",
- "description": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--c23d9eff-1d4e-479f-a114-acc535540a23",
- "created": "2023-03-20T18:46:51.895Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:21.973Z",
- "description": "Application vetting services can detect unnecessary and potentially abused permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad",
@@ -49667,6 +68196,48 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c2a684c0-29ad-4c5b-86c0-ef8be9c5d796",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4",
+ "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--c30d659c-dd17-4fb0-9b88-2f29427f273b",
+ "created": "2025-06-16T17:28:37.128Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "SahinSRLabs_FluBot_Dec2021",
+ "description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.",
+ "url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-16T17:28:37.128Z",
+ "description": "[FluBot](https://attack.mitre.org/software/S1067) abuses accessibility features in three ways: steal application credentials, evade detection and removal, and send SMS for lateral movement.(Citation: SahinSRLabs_FluBot_Dec2021) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d",
@@ -49692,24 +68263,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b",
- "created": "2023-08-14T16:35:55.610Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:22.781Z",
- "description": "Many properly configured firewalls may naturally block one-way command and control traffic.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
- "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4",
@@ -49735,24 +68288,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396",
- "created": "2023-03-20T18:40:12.814Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:23.178Z",
- "description": "The user can view a list of active device administrators in the device settings.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6",
@@ -49801,42 +68336,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d",
- "created": "2023-03-15T16:34:51.794Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:23.783Z",
- "description": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619",
- "created": "2023-03-20T18:44:04.803Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:23.978Z",
- "description": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee",
@@ -49855,6 +68354,36 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c3e1aa57-a721-488f-8ac7-4fcb0f987153",
+ "created": "2025-08-29T21:58:20.970Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:58:20.970Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has gathered a list of installed applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c40cba48-7714-4d03-b748-cadd03360e7a",
@@ -49928,42 +68457,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb",
- "created": "2023-03-20T18:43:03.537Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:24.999Z",
- "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76",
- "created": "2023-03-20T18:42:18.058Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:25.234Z",
- "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd",
@@ -50196,24 +68689,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33",
- "created": "2023-03-20T19:00:09.608Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:27.482Z",
- "description": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
- "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081",
@@ -50312,6 +68787,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c6758ea0-3343-4707-b563-69b901f90745",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f",
+ "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c",
@@ -50362,24 +68854,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93",
- "created": "2023-03-20T18:21:59.396Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:28.899Z",
- "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
- "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8",
@@ -50410,6 +68884,36 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c6d7f454-8dc1-4928-a668-f71aba491e45",
+ "created": "2025-08-29T22:07:08.828Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T14:34:29.099Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) [GodFather](https://attack.mitre.org/software/S1231) has also obtained the phone's state, including network information, phone number, and serial number.(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f",
@@ -50512,46 +69016,20 @@
},
{
"type": "relationship",
- "id": "relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2",
- "created": "2023-03-20T18:48:39.857Z",
+ "id": "relationship--c7b0fddc-939f-44e7-8a78-b15ff0afaf67",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:29.959Z",
- "description": "On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+ "source_ref": "x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8",
+ "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47",
- "created": "2023-03-20T15:20:11.652Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-VerifiedBoot",
- "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
- "url": "https://source.android.com/security/verifiedboot/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:30.160Z",
- "description": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -50614,6 +69092,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--c836cf05-3e52-4b6e-8ade-a3e620dd32ad",
+ "created": "2025-08-29T22:03:53.396Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:03:53.396Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `CALL_PHONE` permission to initiate phone calls.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b",
@@ -50712,24 +69215,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c89d6493-3f33-4568-ac77-ba13b206ae69",
- "created": "2023-03-20T18:52:24.667Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:31.823Z",
- "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f",
@@ -50780,24 +69265,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059",
- "created": "2023-03-20T18:51:23.032Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:32.433Z",
- "description": "",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9",
@@ -50818,21 +69285,20 @@
},
{
"type": "relationship",
- "id": "relationship--c943d462-fea7-4c01-88b2-de134153095b",
- "created": "2023-03-20T18:56:37.473Z",
+ "id": "relationship--c91d3d41-2862-4a64-a29e-8c36dad06382",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:32.821Z",
- "description": "Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+ "source_ref": "x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0",
+ "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -50945,24 +69411,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106",
- "created": "2023-03-15T16:26:38.465Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:34.113Z",
- "description": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--ca486783-9413-4f39-8d2f-3adcb3e79127",
@@ -51109,6 +69557,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--cb2fcc6e-2728-4961-96f4-583e24c45e28",
+ "created": "2025-06-25T15:35:12.240Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:35:12.240Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has used a commercial packer named Jiagubao to evade static detection.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--cb5465c0-a577-45b1-becf-305e0bd47497",
@@ -51530,6 +70003,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--ccf741d0-9a3d-4b37-822e-a74267032279",
+ "created": "2025-08-29T22:01:27.430Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:01:27.431Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has generated fake notifications to lure the victim to phishing pages.(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac",
@@ -51572,6 +70070,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--cd13a6b2-2edf-4b2e-a8e3-3ed11b48a6de",
+ "created": "2025-09-08T16:36:01.835Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T16:36:01.835Z",
+ "relationship_type": "revoked-by",
+ "source_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
+ "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2",
@@ -51724,42 +70239,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c",
- "created": "2023-03-20T18:51:29.814Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:40.921Z",
- "description": "Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca",
- "created": "2023-03-20T18:58:19.895Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:41.112Z",
- "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--cda58372-ae70-4716-8baf-cc06cb884ad6",
@@ -51902,21 +70381,20 @@
},
{
"type": "relationship",
- "id": "relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b",
- "created": "2023-03-20T15:56:47.307Z",
+ "id": "relationship--ce5e7227-bf1d-4d73-9c90-efc37a2c6521",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:42.577Z",
- "description": "The user can see which applications are registered as device administrators in the device settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+ "source_ref": "x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495",
+ "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -52003,6 +70481,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--cea64a5c-1a69-4714-a6b9-2c6764f1fcab",
+ "created": "2025-10-08T14:42:37.400Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:42:37.400Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has compressed and encrypted collected data with a password from the C2 server.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c",
@@ -52103,39 +70606,20 @@
},
{
"type": "relationship",
- "id": "relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263",
- "created": "2023-03-15T16:23:59.107Z",
+ "id": "relationship--cf70a7c5-1118-4d19-8c83-63a86b233917",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:44.484Z",
- "description": "When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
+ "source_ref": "x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--cf696296-751a-41e5-a9b0-907c7b991b2a",
- "created": "2023-09-22T19:14:54.719Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:44.688Z",
- "description": "Application vetting services may detect API calls for deleting files. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -52423,24 +70907,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d170a088-b115-4a86-b093-8aa32666a470",
- "created": "2023-03-15T16:39:55.148Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:47.377Z",
- "description": "On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3",
@@ -52466,24 +70932,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e",
- "created": "2023-09-22T19:15:22.670Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:47.781Z",
- "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e",
@@ -52602,6 +71050,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d3007886-00d1-4796-83da-f8ff26f4ac52",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d300eb82-5ca0-48aa-a45f-d34242545e27",
@@ -52620,6 +71085,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d3129d65-5d7f-434b-b2c7-043a6d8488e7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6",
+ "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d32003ba-959b-4377-aa04-f75275c32abf",
@@ -52695,6 +71177,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d3aa489f-35e9-4f9c-b710-6c77f0eff18e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6",
+ "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc",
@@ -52795,31 +71294,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86",
- "created": "2023-03-20T15:16:43.275Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Samsung Knox Mobile Threat Defense",
- "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
- "url": "https://partner.samsungknox.com/mtd"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:50.562Z",
- "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d4154247-90ce-43b9-8c17-5c28f67617f5",
@@ -52943,6 +71417,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d51b73d7-ebfe-48e5-ac85-3980c9bd3cbc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7",
+ "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c",
@@ -52991,24 +71482,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb",
- "created": "2023-03-20T18:58:14.140Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:52.157Z",
- "description": "The user can review which applications have location permissions in the operating system\u2019s settings menu.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078",
@@ -53112,6 +71585,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d5c8eba4-3954-40c7-b800-afa6bc1105c9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff",
+ "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a",
@@ -53137,6 +71627,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d622d417-6439-40e8-ac3b-10463beeeb8f",
+ "created": "2025-10-08T14:38:31.286Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:38:31.286Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected account names and their types from the device.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5",
@@ -53161,24 +71676,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d63de13b-0253-42f4-b13d-34bccf76ad94",
- "created": "2023-03-20T18:54:50.323Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:53.720Z",
- "description": "Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898",
@@ -53247,24 +71744,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7",
- "created": "2023-03-20T15:16:28.177Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:54.530Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d6be8665-afbb-4be5-a56a-493af01b120a",
@@ -53349,24 +71828,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5",
- "created": "2023-03-20T18:50:21.296Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:55.563Z",
- "description": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0",
@@ -53419,20 +71880,20 @@
{
"source_name": "Trend Micro iOS URL Hijacking",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
+ "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:56.181Z",
+ "modified": "2025-09-08T16:44:09.588Z",
"description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -53526,6 +71987,48 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d7b7d0f4-2312-4207-824d-332904b81759",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04",
+ "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--d7bd4131-a95e-4f6a-a9ce-113079f1dbec",
+ "created": "2025-08-29T21:56:01.595Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:56:01.595Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has obfuscated its Android manifest file with irrelevant permissions and manifest strings.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d7ca70d4-2006-4252-b243-e52be760e24d",
@@ -53544,6 +72047,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d7d6f1dd-9ed2-48a5-8c81-6dc09181d3fd",
+ "created": "2025-08-29T22:03:31.202Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:03:31.202Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `SEND_SMS` permission to send SMS messages.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1",
@@ -53635,24 +72163,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157",
- "created": "2023-08-23T22:18:21.774Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:58.150Z",
- "description": "Network traffic analysis may reveal processes communicating with malicious domains. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369",
@@ -53725,6 +72235,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--d8da0428-122e-4054-baee-ff85847d28fb",
+ "created": "2025-10-08T14:35:07.786Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T16:56:25.834Z",
+ "description": "(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7",
@@ -53890,36 +72425,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa",
- "created": "2023-08-14T16:19:34.080Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "unit42_strat_aged_domain_det",
- "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
- "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
- },
- {
- "source_name": "Data Driven Security DGA",
- "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
- "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:00.380Z",
- "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852",
@@ -53945,6 +72450,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--dae66212-1bc9-485b-8a12-64fb6ca15aa5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4",
+ "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--db1201f0-f925-4c3c-8673-7524a8c20886",
@@ -54018,24 +72540,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff",
- "created": "2023-09-21T22:31:55.337Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:01.375Z",
- "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce",
@@ -54186,24 +72690,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--dc7ef843-a073-4e23-b717-c505d4863b02",
- "created": "2023-03-20T18:53:58.856Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:02.835Z",
- "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962",
@@ -54329,6 +72815,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--ddfa9b6c-a2b9-46e0-9a44-fa19a9aa0101",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b",
+ "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e",
@@ -54438,6 +72941,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--de8f4252-d725-430c-bcd9-29225c131e6e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2",
+ "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5",
@@ -54483,24 +73003,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--def81edd-4410-47b2-a80f-d47b3f353f54",
- "created": "2023-03-16T18:27:42.656Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:05.390Z",
- "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--df036f55-f749-4dad-9473-d69535e0f98d",
@@ -54697,24 +73199,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--e012da15-7669-4764-ad9d-8a1d817bcca9",
- "created": "2023-03-20T18:23:04.068Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:07.279Z",
- "description": "Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983",
@@ -54888,21 +73372,20 @@
},
{
"type": "relationship",
- "id": "relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36",
- "created": "2023-03-20T18:41:31.300Z",
+ "id": "relationship--e1a94e63-733b-4d2b-8731-4abc11a1be9d",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:08.872Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+ "source_ref": "x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72",
+ "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -54929,6 +73412,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--e2128a08-dc84-4a1e-a090-172b4591ea6f",
+ "created": "2025-10-08T14:37:17.378Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:37:17.378Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s call log.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb",
@@ -55027,6 +73535,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--e2aa5d54-6a01-48bb-9408-9f9ae00b702c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3",
+ "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059",
@@ -55102,6 +73627,48 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--e3394db9-1cb6-4b7b-9b7e-0e6d15245737",
+ "created": "2025-10-08T14:40:19.684Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:40:19.684Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected files of interest on the device, including WhatsApp files.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--e33c48aa-e5b2-46b0-a82d-31f5c1faeb53",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1",
+ "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8",
@@ -55408,24 +73975,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8",
- "created": "2023-03-20T18:56:24.246Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:13.171Z",
- "description": "Application vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--e50c605a-0cdf-4316-bb49-2deccc69143f",
@@ -55541,6 +74090,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--e56b94c0-eb5a-4597-b961-523971d84a73",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--e5922453-d9b1-472b-b947-b1eaa426a32e",
@@ -55650,24 +74216,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3",
- "created": "2023-03-16T13:32:02.290Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:15.008Z",
- "description": "Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39",
@@ -55796,6 +74344,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--e7d6a883-2f2b-41e7-954e-7888a65a6f42",
+ "created": "2025-06-25T15:36:36.311Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:36:36.311Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has displayed masqueraded wallet applications if the EnabledUIMode field is set to `true`. [CherryBlos](https://attack.mitre.org/software/S1225) has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to `true`. The withdrawal transaction is ultimately transferred to the threat actor\u2019s controlled address.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56",
@@ -55939,24 +74512,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--e928c0ce-2b98-4af5-a990-f690f4306681",
- "created": "2023-03-20T18:43:46.070Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:17.470Z",
- "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b",
@@ -56104,24 +74659,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc",
- "created": "2023-03-20T18:49:38.917Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:18.914Z",
- "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7",
@@ -56146,6 +74683,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--ea8cfefa-f4b5-464a-b4b8-9e3aa587316c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee",
+ "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--eb052029-e1c9-4f24-8594-299aaec7f1df",
@@ -56238,24 +74792,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa",
- "created": "2023-07-14T19:11:45.176Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:20.122Z",
- "description": "Unexpected behavior from an application could be an indicator of masquerading.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
@@ -56424,24 +74960,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0",
- "created": "2023-08-14T16:33:56.635Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:21.762Z",
- "description": "Many properly configured firewalls may naturally block command and control traffic.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
- "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42",
@@ -56614,42 +75132,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--ed7e9368-004c-484f-9eed-03b158325564",
- "created": "2023-03-20T18:54:40.401Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:23.379Z",
- "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
- {
- "type": "relationship",
- "id": "relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6",
- "created": "2025-03-14T17:58:15.093Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:23.576Z",
- "description": "Monitor for API calls that are related to GooglePlayServices. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
- "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6",
@@ -56700,6 +75182,48 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--edf7417d-d559-4423-b169-b2b2b33fcb76",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5",
+ "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--edf758e1-600e-4b7e-94eb-6c76b9a5ca6a",
+ "created": "2025-10-08T14:36:15.827Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:36:15.827Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has masqueraded as legitimate applications, such as VPN and banking applications.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb",
@@ -56965,24 +75489,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd",
- "created": "2023-03-20T18:51:58.152Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:26.424Z",
- "description": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--f0851531-e554-4658-920c-f2342632c19a",
@@ -57172,6 +75678,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--f2274210-22bd-4ca4-887d-691e1370c85b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85",
+ "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150",
@@ -57371,21 +75894,28 @@
},
{
"type": "relationship",
- "id": "relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81",
- "created": "2023-03-20T15:45:44.000Z",
+ "id": "relationship--f3c5d1a4-406d-47cc-8152-77bfbe5edaaf",
+ "created": "2025-09-18T14:37:50.850Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:29.665Z",
- "description": "Mobile security products can potentially detect jailbroken devices.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
+ "modified": "2025-09-18T14:37:50.850Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has captured audio from the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -57414,18 +75944,42 @@
},
{
"type": "relationship",
- "id": "relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5",
- "created": "2023-03-20T15:21:12.492Z",
+ "id": "relationship--f42a3f60-103f-4b7a-b682-a03f76f3f028",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:30.051Z",
- "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da",
+ "source_ref": "x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
+ {
+ "type": "relationship",
+ "id": "relationship--f44f18d4-4595-4277-9d1e-dd5be6d07a80",
+ "created": "2025-06-25T15:35:33.315Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:35:33.315Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has received configuration files from the C2 server.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
@@ -57480,6 +76034,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--f4b0d3ea-ae51-4e3b-a642-8a853f583436",
+ "created": "2025-06-25T15:35:54.673Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:35:54.673Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has communicated with the C2 server using HTTPS.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ },
{
"type": "relationship",
"id": "relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012",
@@ -57604,6 +76183,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--f5184fc6-8283-4547-afa9-2f1c0c703d5d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89",
+ "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--f5196775-2c99-4dc5-b173-6a10af503c6e",
@@ -57647,6 +76243,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--f54196e6-3efd-4562-ae86-37bb79ec49f6",
+ "created": "2025-09-18T14:38:14.426Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:38:14.426Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected device information such as MAC address, IMEI and phone number.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d",
@@ -57696,24 +76317,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a",
- "created": "2023-03-20T18:39:10.113Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:32.521Z",
- "description": "The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4",
@@ -57764,24 +76367,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78",
- "created": "2023-03-20T18:54:09.674Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:33.150Z",
- "description": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
@@ -57849,6 +76434,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--f62351c6-0dff-45b1-a711-1b40b96639a2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d",
+ "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660",
@@ -57987,19 +76589,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:34.977Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can disable Google Play Protect.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:17:51.728Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to disable Google Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
},
{
"type": "relationship",
@@ -58025,6 +76632,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--f6c57544-4bf5-47b1-924f-1a9bd17f5e31",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6",
+ "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa",
@@ -58305,6 +76929,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--f8312ce3-3533-46e7-bf93-90541f9b5c69",
+ "created": "2025-08-29T22:04:44.695Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T14:31:06.242Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has the captured information about the device's screen to include detailed tap events.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--f84355c2-b829-4324-821a-b5148734bb6b",
@@ -58323,24 +76972,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--f857935b-653a-4b9a-a2dc-59c042059a39",
- "created": "2023-03-20T15:56:04.673Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:37.798Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c",
@@ -58678,6 +77309,23 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--fad1e048-86e1-48c7-a183-0e13e429bc23",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80",
+ "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--fada5ba5-7449-4878-b555-82f225473c8b",
@@ -59010,6 +77658,31 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--fc3c2496-aef9-4924-82e7-716d5149db01",
+ "created": "2025-09-24T16:02:56.574Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-24T16:02:56.574Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--fc742401-a8cd-4a97-8c50-045807c47581",
@@ -59084,6 +77757,24 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
+ {
+ "type": "relationship",
+ "id": "relationship--fcaf04f2-3944-44f9-898a-e3df3fcf30c7",
+ "created": "2025-09-17T15:30:25.216Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-17T15:30:25.216Z",
+ "description": "Access to accounts is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their accounts. ",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ },
{
"type": "relationship",
"id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a",
@@ -59181,24 +77872,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2",
- "created": "2023-08-08T16:14:27.679Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:45.246Z",
- "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901",
@@ -59223,24 +77896,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549",
- "created": "2023-03-20T18:24:56.396Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:45.628Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394",
@@ -59389,24 +78044,6 @@
"x_mitre_deprecated": false,
"x_mitre_attack_spec_version": "3.2.0"
},
- {
- "type": "relationship",
- "id": "relationship--ff3aa49b-c054-44ec-89da-6c67d4995193",
- "created": "2023-03-20T18:44:44.257Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:47.028Z",
- "description": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- },
{
"type": "relationship",
"id": "relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938",
diff --git a/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json b/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json
index f827db67d7..ebf65dae4d 100644
--- a/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json
+++ b/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--61dad137-9686-4b92-89f7-3e30fcea63a6",
+ "id": "bundle--0c8d531d-5b5e-4112-b7eb-81520893518f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json b/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json
index 53952407ad..8cc2c3fcd1 100644
--- a/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json
+++ b/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cefe155f-6f8e-48b6-bfaa-c5c481991e37",
+ "id": "bundle--f2bf474c-a45e-4c00-ab9c-23c859bb463d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--00711e74-0877-4829-afc0-dfbe63901b4f.json b/mobile-attack/relationship/relationship--00711e74-0877-4829-afc0-dfbe63901b4f.json
new file mode 100644
index 0000000000..c535d6a144
--- /dev/null
+++ b/mobile-attack/relationship/relationship--00711e74-0877-4829-afc0-dfbe63901b4f.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--d993e556-8a10-4c37-a945-9cd9505cb67d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--00711e74-0877-4829-afc0-dfbe63901b4f",
+ "created": "2025-08-29T22:09:45.617Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:09:45.617Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--00cac496-7350-4023-b29e-42c81e3c50bd.json b/mobile-attack/relationship/relationship--00cac496-7350-4023-b29e-42c81e3c50bd.json
new file mode 100644
index 0000000000..a1703c3d7d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--00cac496-7350-4023-b29e-42c81e3c50bd.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--6b0ab105-bcee-40c1-97f8-77c1ca382786",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--00cac496-7350-4023-b29e-42c81e3c50bd",
+ "created": "2025-09-18T14:40:18.513Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:40:18.513Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s call log.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json b/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json
index d2364543a7..d1d195ea77 100644
--- a/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json
+++ b/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ec25551c-f3be-4b07-baeb-c4a4468929f4",
+ "id": "bundle--d19c746b-d118-4391-9b2f-35197863ccc7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json b/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json
index fc96e7bccd..d7e9d8243c 100644
--- a/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json
+++ b/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9ff73c9f-18da-4c00-a3ec-55fd047ab8c4",
+ "id": "bundle--2de19a68-c11b-4dd6-af49-a17d362f39c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json b/mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json
index 70136a6726..410f8b88aa 100644
--- a/mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json
+++ b/mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9f21d71-5f82-478d-ad10-36b7c0fa8add",
+ "id": "bundle--4bd04d2f-d2ea-4407-9781-460d1af589b3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--01753250-4bfa-4671-bcce-0e3cf19c0ae9.json b/mobile-attack/relationship/relationship--01753250-4bfa-4671-bcce-0e3cf19c0ae9.json
new file mode 100644
index 0000000000..7ed8c6ad35
--- /dev/null
+++ b/mobile-attack/relationship/relationship--01753250-4bfa-4671-bcce-0e3cf19c0ae9.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--762e549c-de8b-414d-a33c-b7a50cd46ce3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--01753250-4bfa-4671-bcce-0e3cf19c0ae9",
+ "created": "2025-10-08T20:21:12.056Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:21:12.056Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used the KeyguardManager API to evaluate the device\u2019s locking mechanism and the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json b/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json
index 6b9b2a1962..8f514e3836 100644
--- a/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json
+++ b/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--04e05c25-97a1-4373-9d5c-4890140146c7",
+ "id": "bundle--e5704d88-84f2-4f0f-86ae-852adce93137",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json b/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json
index 66834762c8..e8360d4738 100644
--- a/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json
+++ b/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed2f1d61-00b3-48e8-a6d4-deb530319fdf",
+ "id": "bundle--5391be7b-0735-4718-9aa9-dd9afbdb7f66",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:38.112Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can remove artifacts of its presence and uninstall itself.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:56:32.839Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has removed artifacts of its presence and has the ability to uninstall itself.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
diff --git a/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json b/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json
index 3b6afce397..cf6a4d071b 100644
--- a/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json
+++ b/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8bcea99e-0a1c-4e19-95c3-66a65b14e99a",
+ "id": "bundle--f33bd338-072a-427d-9317-fa7ae3119621",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json b/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json
index 62120f08ac..14d6cacb1c 100644
--- a/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json
+++ b/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--97a02cf7-fbad-4039-bc2b-d33719cf78a8",
+ "id": "bundle--25adee53-3b08-42fa-b9f1-d71ac6af1caa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json b/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json
index 382198732b..d0de79b213 100644
--- a/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json
+++ b/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f018418b-34fa-43b5-b5a5-68fe8b3fd45a",
+ "id": "bundle--f2a7bc6e-4afc-44d0-b4bc-0b54880e72da",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json b/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json
index c77167740f..97bf9536bb 100644
--- a/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json
+++ b/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d33e5c2e-f204-4cfc-8835-7e1e795e7daa",
+ "id": "bundle--2d976692-1762-4acb-9cf4-298d92a6e1e0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--024a2ca8-c0c4-456d-a9e6-5596c5569870.json b/mobile-attack/relationship/relationship--024a2ca8-c0c4-456d-a9e6-5596c5569870.json
new file mode 100644
index 0000000000..517616b286
--- /dev/null
+++ b/mobile-attack/relationship/relationship--024a2ca8-c0c4-456d-a9e6-5596c5569870.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--91e18dd6-f433-47d1-898d-0cb2b7e20961",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--024a2ca8-c0c4-456d-a9e6-5596c5569870",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413",
+ "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json b/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json
index bc42462dc4..e8dbf99fa0 100644
--- a/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json
+++ b/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7721595b-a4c4-4b18-9b5c-1c3995da2436",
+ "id": "bundle--c04f6b61-55c0-4301-86f7-ef75b36a879a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json b/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json
index bf271d396e..86cd6e146f 100644
--- a/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json
+++ b/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--053def8d-0d49-4f3c-8fea-05e7941c41cc",
+ "id": "bundle--985a70e8-0113-4dc5-9889-a18ab0a8e869",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json b/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json
index a703d855a6..ec7e844d3f 100644
--- a/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json
+++ b/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--362f66d2-156c-4db9-9714-f4fb66bc579a",
+ "id": "bundle--da1bf8b3-3308-43a9-8881-4b9e72a95b8f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json b/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json
index 6bf6ea79e4..104f8e3fb1 100644
--- a/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json
+++ b/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1d8d8f19-1df8-4227-a34c-e2699393d6cc",
+ "id": "bundle--da86255c-4bb5-45fb-9818-9f2c0388febd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json b/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json
index 200aa3cc19..7995d052f2 100644
--- a/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json
+++ b/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6438ee3f-ff78-4b8a-8f5b-b7950fe2c86b",
+ "id": "bundle--ac7cbff8-51db-45e1-b0b9-db1a9b5dc0a0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json b/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json
index 24ccf62bd3..754dfa480b 100644
--- a/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json
+++ b/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1888328b-9096-41d2-bdad-2a0b6495fae0",
+ "id": "bundle--da86b473-b08d-44df-9b53-1f365d6785af",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json b/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json
index 3b444e9e38..5757569301 100644
--- a/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json
+++ b/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7fdfae50-cf69-4595-9271-a2212b92f7ad",
+ "id": "bundle--c2dbfe2b-7fd2-4c2f-b066-b43e2c0146e5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--03239f6a-a314-4ee0-81fa-006a39209b63.json b/mobile-attack/relationship/relationship--03239f6a-a314-4ee0-81fa-006a39209b63.json
new file mode 100644
index 0000000000..e57cb15e51
--- /dev/null
+++ b/mobile-attack/relationship/relationship--03239f6a-a314-4ee0-81fa-006a39209b63.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--60c76f9d-dc75-4ba5-b631-42c2d0785f6a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--03239f6a-a314-4ee0-81fa-006a39209b63",
+ "created": "2025-09-18T14:41:15.687Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:41:15.687Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected account names and their types from the compromised device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json b/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json
index ed5df31c00..1369f0694b 100644
--- a/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json
+++ b/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4efc24b8-f3a6-48ee-a9bd-31b0c7ef3f8b",
+ "id": "bundle--7960381b-cf33-4cbd-805d-188ad8afe579",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json b/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json
index 8804e4ed83..c3ebf14980 100644
--- a/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json
+++ b/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9479eb01-7189-4a03-b72a-1cf0307e5d44",
+ "id": "bundle--6f6a90f5-d22e-4627-9659-406ec5486516",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json b/mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json
index da2305ab6b..a31f39bb76 100644
--- a/mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json
+++ b/mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--187a496e-f23a-425f-8eb9-5de6e65508a9",
+ "id": "bundle--41c50ef7-b565-4f24-b2ce-9b5680c7e811",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0384b954-06be-4b7d-924e-39416306a844.json b/mobile-attack/relationship/relationship--0384b954-06be-4b7d-924e-39416306a844.json
new file mode 100644
index 0000000000..5192a9b3f9
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0384b954-06be-4b7d-924e-39416306a844.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--55a3b55d-e9b2-4824-b896-6512a6132da7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--0384b954-06be-4b7d-924e-39416306a844",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507",
+ "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json b/mobile-attack/relationship/relationship--038bbc64-2ca7-4e63-afd5-e4484170f368.json
similarity index 53%
rename from mobile-attack/relationship/relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json
rename to mobile-attack/relationship/relationship--038bbc64-2ca7-4e63-afd5-e4484170f368.json
index 8364465297..47fb43e140 100644
--- a/mobile-attack/relationship/relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json
+++ b/mobile-attack/relationship/relationship--038bbc64-2ca7-4e63-afd5-e4484170f368.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--16ffd81c-1f1d-44f9-bf61-20e11b1c42d3",
+ "id": "bundle--5d408f2b-bfdd-44c5-82b4-2d746fba0641",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2",
- "created": "2023-03-20T18:59:57.364Z",
+ "id": "relationship--038bbc64-2ca7-4e63-afd5-e4484170f368",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:01.259Z",
- "description": "The user can examine the list of all installed applications in the device settings. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1",
"target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1fdf9c43-0237-461f-86d4-1da843078744.json b/mobile-attack/relationship/relationship--03d0892e-94af-492f-9535-79119aa95436.json
similarity index 51%
rename from mobile-attack/relationship/relationship--1fdf9c43-0237-461f-86d4-1da843078744.json
rename to mobile-attack/relationship/relationship--03d0892e-94af-492f-9535-79119aa95436.json
index 3e27a428d9..aa80952791 100644
--- a/mobile-attack/relationship/relationship--1fdf9c43-0237-461f-86d4-1da843078744.json
+++ b/mobile-attack/relationship/relationship--03d0892e-94af-492f-9535-79119aa95436.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--5174b5f4-e420-44fc-a7e9-045aba861d36",
+ "id": "bundle--af12fcf8-c2d2-443d-8235-c9c3c98ea3d0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--1fdf9c43-0237-461f-86d4-1da843078744",
- "created": "2023-09-21T19:38:49.571Z",
+ "id": "relationship--03d0892e-94af-492f-9535-79119aa95436",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:23.359Z",
- "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "source_ref": "x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883",
"target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json b/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json
index 510c849520..86b5603ec6 100644
--- a/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json
+++ b/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc210243-9afd-4137-a484-9bf6632459c9",
+ "id": "bundle--8fab6028-0af1-4cdd-a801-d471d2c5e1ec",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json b/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json
index e9893d8d02..33ee105aec 100644
--- a/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json
+++ b/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1bcaaec4-aeab-42d5-a672-f5159132e746",
+ "id": "bundle--f3b49e24-c328-4c91-80ce-503c2386340a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json b/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json
index 2079d92a1d..659ed7cd92 100644
--- a/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json
+++ b/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--611354a6-8970-452f-bf30-180adb78aa5d",
+ "id": "bundle--b8a7ba3d-328d-45c6-a7cb-089fa09a4b27",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json b/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json
index 73da92c6fe..51fe04b916 100644
--- a/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json
+++ b/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--02d7489f-61b7-430b-aaf1-f25e6192eed9",
+ "id": "bundle--b44d3ea3-afb8-4da3-bd56-2b84fea478ca",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json b/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json
index ebdd6f827f..2c60507b99 100644
--- a/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json
+++ b/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aba080c4-580a-4b40-b657-e1a914ac7715",
+ "id": "bundle--53c1768e-bedc-49a1-94fa-c9d231001b1f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json b/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json
index 45c51ae15e..1a370e679f 100644
--- a/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json
+++ b/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c921dbd-26a1-4ba1-8343-bb42741bb227",
+ "id": "bundle--a7125932-9c8a-49e5-ae8b-91dba2d8fde5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json b/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json
index 368a7671aa..10cf14bb51 100644
--- a/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json
+++ b/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fcc16460-44b7-42a7-a0ea-f5c2375a205a",
+ "id": "bundle--98d0feb9-e2f3-4374-8d3c-ff969761abf7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json b/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json
index 67f9d988fc..f7427def0d 100644
--- a/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json
+++ b/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe86239c-26a7-4273-900f-4b2725305473",
+ "id": "bundle--a2644f2f-a6aa-41b9-a52a-7d3af3d1adf7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json b/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json
deleted file mode 100644
index 2bb1972a7f..0000000000
--- a/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7326bc58-03aa-4e38-9d52-436accf593fb",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc",
- "created": "2023-03-20T18:37:57.767Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:43.318Z",
- "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json b/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json
index e81c856df1..d1759fbf73 100644
--- a/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json
+++ b/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--65c6a397-1c3a-453c-86c2-5719f3da6fd2",
+ "id": "bundle--b67e6e86-0d90-4db7-bd9b-8d1294a005b0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json b/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json
index 1c8ccd2689..140809d8a7 100644
--- a/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json
+++ b/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--12d0855d-d27a-4b30-bc16-fbff55701d84",
+ "id": "bundle--30e2e7fc-d67b-448f-94f8-0a264cdd8e3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--052576f4-0b54-44be-840d-a9c8bb7cb980.json b/mobile-attack/relationship/relationship--052576f4-0b54-44be-840d-a9c8bb7cb980.json
new file mode 100644
index 0000000000..8593daad01
--- /dev/null
+++ b/mobile-attack/relationship/relationship--052576f4-0b54-44be-840d-a9c8bb7cb980.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--2e0bbe16-44b0-4aa9-b4bf-0295cedffef0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--052576f4-0b54-44be-840d-a9c8bb7cb980",
+ "created": "2025-09-18T14:43:22.943Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:43:22.944Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected package names.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json b/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json
index 290277510e..5c40e5a5e8 100644
--- a/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json
+++ b/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--30a925d0-3701-4fd2-a506-8f4fbf090026",
+ "id": "bundle--49a28feb-a58b-4e6b-ae3c-141b7702caad",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json b/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json
index 17e7726ee0..0983ae4093 100644
--- a/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json
+++ b/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2aef315-73e3-4f7a-8e58-9af4404a3928",
+ "id": "bundle--87db7a50-c397-4409-ab15-0a97daa4467a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--05a0ac14-12c3-428c-9567-fecb3e29abe3.json b/mobile-attack/relationship/relationship--05a0ac14-12c3-428c-9567-fecb3e29abe3.json
new file mode 100644
index 0000000000..86a3519283
--- /dev/null
+++ b/mobile-attack/relationship/relationship--05a0ac14-12c3-428c-9567-fecb3e29abe3.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--4cc2e1c5-8dce-4860-bd70-8771b1b09fc2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--05a0ac14-12c3-428c-9567-fecb3e29abe3",
+ "created": "2025-06-25T15:36:12.680Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:36:12.680Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has utilized foreground services by showing a notification to evade detection.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b.json b/mobile-attack/relationship/relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b.json
deleted file mode 100644
index 4d8c76a38b..0000000000
--- a/mobile-attack/relationship/relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--1e9c39da-f877-491f-9594-d534f84c80d2",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b",
- "created": "2023-09-21T19:38:21.735Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:44.375Z",
- "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
- "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json b/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json
index 744dc85b1f..d6123f2b82 100644
--- a/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json
+++ b/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--593781f3-1bd1-4831-bd90-fa24122af63b",
+ "id": "bundle--4ff9cdbb-e622-4569-b6d1-b74f81041071",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json b/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json
index 1f4d39c19e..36c9bd0e46 100644
--- a/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json
+++ b/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--570f32e5-8fa3-41fb-b703-97bb753ee356",
+ "id": "bundle--f4f2da1e-25a0-47ab-a4b6-54edd449e8a5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json b/mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json
index 0b441a98fc..00e818d1f7 100644
--- a/mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json
+++ b/mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b3ece954-bc26-4bcf-9416-8dc36f9047d2",
+ "id": "bundle--465386b5-41ea-46f5-a677-51c7c3c48867",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json b/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json
index 0339cadcbe..e862826870 100644
--- a/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json
+++ b/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--261412ab-9c0d-463f-bb10-e0d0876c8a6d",
+ "id": "bundle--1e9d87f1-bfbe-4ab6-af9e-847730367764",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json b/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json
index c103ecdc51..54bec78693 100644
--- a/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json
+++ b/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--38faad7d-6b46-4c5a-997d-ebc66b067813",
+ "id": "bundle--fa5b99fe-b6c1-4eff-89a1-eeb2b3ce41a9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json b/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json
index e21490722c..c863c8eb58 100644
--- a/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json
+++ b/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--91b5c612-e2c1-46b8-8212-c86c3bc4b857",
+ "id": "bundle--c1aefcf1-ea75-4e9b-83f8-7e5ebc80c045",
"spec_version": "2.0",
"objects": [
{
@@ -14,19 +14,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:45.721Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather basic device information such as version, model, root status, and country.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:20:37.877Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to gather basic device information, such as version, model, root status, and country.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has checked the keyguard\u2019s status regarding how the device is locked (e.g. pattern, PIN or password).(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json b/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json
index a1e1e1d9c1..dcbe240749 100644
--- a/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json
+++ b/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--375043a9-2f1b-4899-a467-e8613056092f",
+ "id": "bundle--2e21ab4b-cb25-466c-96aa-352306ad7f89",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json b/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json
index 41e1056ad9..42efaf72a7 100644
--- a/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json
+++ b/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3e8573ec-2e65-442a-8a30-7cf245288b45",
+ "id": "bundle--a257860c-e58a-4838-abd9-5d6b4a17d784",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json b/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json
index 0b86faa9e4..afd5a76b0b 100644
--- a/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json
+++ b/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d14b4be-b51a-4ee3-b9a1-adb98663dfbb",
+ "id": "bundle--e589c825-8b9c-4728-b83e-92324936503d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json b/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json
index d5da8e5ab4..d01259c93b 100644
--- a/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json
+++ b/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1554699f-3ed2-484c-8728-6f902e44385f",
+ "id": "bundle--c57f75f0-1fee-4b5f-b93b-23857b81155e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json b/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json
index bf044e1540..51eb45d3fa 100644
--- a/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json
+++ b/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9627953d-09fb-446d-97ca-3bcd909f7264",
+ "id": "bundle--f0abd781-aaf9-4dbe-b45f-569a2e0e6a5a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json b/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json
index dcd3559c39..bbfce427e7 100644
--- a/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json
+++ b/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a00abe5c-bfb6-4fab-a97f-18ac67590b7e",
+ "id": "bundle--6a538587-67dc-4f18-b7ee-7d8ef99812e0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json b/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json
index 3aa5d20ecf..9d6815a5be 100644
--- a/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json
+++ b/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5a5f5a57-8595-483d-adb9-f0953e670995",
+ "id": "bundle--37f64920-854a-4f87-a229-9c1d701935bd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--07ccc973-19fb-4926-953a-9ec205372683.json b/mobile-attack/relationship/relationship--07ccc973-19fb-4926-953a-9ec205372683.json
new file mode 100644
index 0000000000..19a94c0a08
--- /dev/null
+++ b/mobile-attack/relationship/relationship--07ccc973-19fb-4926-953a-9ec205372683.json
@@ -0,0 +1,37 @@
+{
+ "type": "bundle",
+ "id": "bundle--26864ce9-5e3f-4cf7-9180-e0d1ba6ba6ff",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--07ccc973-19fb-4926-953a-9ec205372683",
+ "created": "2025-07-07T21:49:15.656Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "cyble_chameleon_0423",
+ "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
+ "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:23:10.053Z",
+ "description": "After accessibility permissions are granted, [Chameleon](https://attack.mitre.org/software/S1083) has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json b/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json
index 9061fcfd69..c68ccf26a1 100644
--- a/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json
+++ b/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a9017647-4f73-4468-be75-b246d181ec63",
+ "id": "bundle--efb7c6cf-18f6-4260-b8c3-05f94dc6fa16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json b/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json
index f338accfcd..e5c5aac4f4 100644
--- a/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json
+++ b/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--03ce52d9-199a-47ae-9537-251e2d9282d5",
+ "id": "bundle--7e4aaa24-8b2e-4db9-aefc-ecf4d89c2613",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0803b497-5064-4b7b-9db9-4e9c37b0b8c1.json b/mobile-attack/relationship/relationship--0803b497-5064-4b7b-9db9-4e9c37b0b8c1.json
new file mode 100644
index 0000000000..4bf9057115
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0803b497-5064-4b7b-9db9-4e9c37b0b8c1.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--ec52ea37-e6d5-4978-9b43-a38b16648f02",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--0803b497-5064-4b7b-9db9-4e9c37b0b8c1",
+ "created": "2025-09-18T14:44:25.729Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:44:25.729Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json b/mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json
index fe749f64ae..7bb77f46ea 100644
--- a/mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json
+++ b/mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6576d13b-b480-4d39-94fc-ec55f418aeec",
+ "id": "bundle--88a7a169-2e08-41cc-bcf8-cdf5bba4c377",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json b/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json
index 880e3c1697..6c5e9481c9 100644
--- a/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json
+++ b/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4e24a98f-aa03-4849-b440-5333c97961e2",
+ "id": "bundle--fe2dc366-49c6-4372-878a-bd6b5b9ec141",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json b/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json
index c3c8171c82..1177cf60c1 100644
--- a/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json
+++ b/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a4f345b9-8d48-444a-a600-95a40b0ffd89",
+ "id": "bundle--b788478d-f419-4096-b6b7-7c02aff5eed4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json b/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json
deleted file mode 100644
index de42f1d3ec..0000000000
--- a/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--74c54148-8e86-4b5c-9e5a-dcf9b56543d6",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f",
- "created": "2023-03-20T18:58:33.787Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:48.746Z",
- "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json b/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json
index 04a65f222e..2bc53f3c95 100644
--- a/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json
+++ b/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--688a02e5-7db3-43c7-940e-360e686fa0f9",
+ "id": "bundle--95ce9dbb-0bde-40f3-a29e-27ee5dd79a9a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json b/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json
index 0c67c5fe69..005755a296 100644
--- a/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json
+++ b/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--68df3c63-e054-44f9-bdd9-fcc8fe67949d",
+ "id": "bundle--b30e718f-69b6-4ba5-ae29-c67eb590cfd0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json b/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json
index 418d1f2395..a9b666ead9 100644
--- a/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json
+++ b/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf9014d9-1545-468e-8b8b-35364517241b",
+ "id": "bundle--8a71f30d-f580-49e2-ac66-61bee0d875b4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json b/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json
index 2fca6e6503..3eaaf6d05a 100644
--- a/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json
+++ b/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--06f235c6-e9dc-4e8a-987a-ddd5a52c93b8",
+ "id": "bundle--352c5f8f-e58c-48b6-a1d6-639db62400e5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json b/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json
index cfbffcaea8..0dc5a6cacc 100644
--- a/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json
+++ b/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bfdc5602-1dc7-48e0-858d-c8d6ea88cd98",
+ "id": "bundle--fd329cd7-3657-4280-add2-00bdd9ed8979",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json b/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json
index b6e1983f40..78f927589f 100644
--- a/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json
+++ b/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d3ba15e2-de2e-495d-8ace-30c98eccfd6b",
+ "id": "bundle--62daefdb-5ed7-4123-92ad-c68ba3ab7812",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json b/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json
index 070b8c7c05..7549a64e3e 100644
--- a/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json
+++ b/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--84afc8f2-c50e-464e-985a-5e8ae62a0e2f",
+ "id": "bundle--3df79fe5-d40d-4d98-8c73-7afd91da4d78",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json b/mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json
index 019d13f0f3..56a1ee8ae5 100644
--- a/mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json
+++ b/mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--37e678b9-df32-426f-9d40-51ca29ec2830",
+ "id": "bundle--345274ec-d69a-45e7-a14b-2fd59d94db23",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json b/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json
index 2faff0ef6e..b9f8b661aa 100644
--- a/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json
+++ b/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b2718a00-de2c-4a7c-a41c-7ead107867fc",
+ "id": "bundle--48949a92-1f97-4b89-a8b9-bd09636b3a49",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json b/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json
index 355af3d50a..1994c03118 100644
--- a/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json
+++ b/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bc3ff720-bf98-43b3-a290-366e761b9f42",
+ "id": "bundle--4dff9b89-a93e-4842-b150-303f0145c5c5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json b/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json
index 3c63939976..32ed8fdab1 100644
--- a/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json
+++ b/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dc3f2b2d-d39e-4eac-a699-4f3054cdf134",
+ "id": "bundle--28b5758a-a1d7-4f4d-aeed-023a464ae719",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json b/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json
index 5f758ac91f..f60785cd30 100644
--- a/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json
+++ b/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c329e1de-3b5c-4562-b3bd-f5eb8f0fe67f",
+ "id": "bundle--3a84ad3b-ccfd-418c-b308-554bc10372d1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json b/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json
deleted file mode 100644
index 072ad1a609..0000000000
--- a/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--5fefddaf-b362-499c-8a59-f5ad7c5f9b34",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--09c6bbd4-9058-4657-9d8e-656439637ac6",
- "created": "2023-03-16T18:32:47.895Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:51.523Z",
- "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json b/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json
index 271bd840e9..f4adab6f22 100644
--- a/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json
+++ b/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--109c5d08-e914-41ea-b2c1-0ac206679616",
+ "id": "bundle--7fd06ec4-a8c9-414b-ba36-2f43a137c5d7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json b/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json
index 4c15066f8b..eb86f53bdb 100644
--- a/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json
+++ b/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--46172597-f7a8-4f91-946a-953a0f2c4014",
+ "id": "bundle--bd207469-3aaf-46ac-84c5-f28b34d7c7e4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json b/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json
index ad7c2fc9fd..6bd873d130 100644
--- a/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json
+++ b/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b1569c6-88b4-4d29-b4f5-95142096b093",
+ "id": "bundle--66f6f27b-429d-4c0a-8db7-ec1129d86369",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json b/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json
index b938927b68..ca42d699d5 100644
--- a/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json
+++ b/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--63d83ab5-477b-40d6-892a-6de04808ca80",
+ "id": "bundle--4a1921af-4867-4602-9148-c8bda6554a82",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json b/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json
index 615941b13f..27ef638234 100644
--- a/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json
+++ b/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70710532-7418-4b6c-af20-ab1f1853a636",
+ "id": "bundle--80d13e29-a726-4747-96f5-3c373c5857e5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0ac51c46-97a5-4893-a98d-2dfab8178768.json b/mobile-attack/relationship/relationship--0ac51c46-97a5-4893-a98d-2dfab8178768.json
new file mode 100644
index 0000000000..3b34eb9c7a
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0ac51c46-97a5-4893-a98d-2dfab8178768.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--9626966a-a35a-40c1-b4bd-16b8c027f226",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--0ac51c46-97a5-4893-a98d-2dfab8178768",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e",
+ "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json b/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json
index 6bad0ad50f..3e1271b033 100644
--- a/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json
+++ b/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f1d3d1ef-3eb3-4b80-a791-d389fdd90110",
+ "id": "bundle--d796347f-37e2-4c69-8dc6-e41fef9c236c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json b/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json
index d023400cd6..227df64dc9 100644
--- a/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json
+++ b/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bbccb5e5-8bfe-4383-b102-67b7f31cbad6",
+ "id": "bundle--4c73f211-56d1-4d91-8163-3d5eb5f15442",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0b1c0282-8190-465a-9944-0874e3ee65f6.json b/mobile-attack/relationship/relationship--0b1c0282-8190-465a-9944-0874e3ee65f6.json
new file mode 100644
index 0000000000..4f0f8b4a73
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0b1c0282-8190-465a-9944-0874e3ee65f6.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--6baaa35f-cec6-4a4c-a2d8-5c8d7edfdae0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--0b1c0282-8190-465a-9944-0874e3ee65f6",
+ "created": "2025-09-18T14:40:36.756Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:40:36.756Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s contact list.(Citation: ZimperiumGupta_RatMilad_Oct2022)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json b/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json
index aa083e4114..d6b8039db8 100644
--- a/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json
+++ b/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--40d1eff3-2a9f-46ef-8d97-2511b9e7686e",
+ "id": "bundle--b540574f-b9df-41ea-80d5-2c05a082494d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json b/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json
index c360030911..b4e804d55a 100644
--- a/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json
+++ b/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4cb29a8b-1099-44bc-91d2-a3e3f9929cd8",
+ "id": "bundle--eb65edbf-f383-4026-b991-751ea3eaf081",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json b/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json
deleted file mode 100644
index 5e008cba9c..0000000000
--- a/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--9e825e5c-801f-4ea5-9cfd-afc56b29e2c2",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2",
- "created": "2023-03-20T15:28:54.837Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:53.668Z",
- "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json b/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json
index c085def119..032e4a044a 100644
--- a/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json
+++ b/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8cb2a9f7-085e-498e-878e-c4b808062365",
+ "id": "bundle--bd94beb8-b5e7-4625-b9c3-f79674ec9c45",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json b/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json
index ae8e0484de..a13bbdea3a 100644
--- a/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json
+++ b/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a185e4ad-0603-4b2a-80bf-5a5345f295a3",
+ "id": "bundle--c0fe2af6-6281-4bb9-bcb2-3f9b09df99aa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json b/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json
index 8a9400ff5f..1397214d96 100644
--- a/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json
+++ b/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2beaad80-0711-4ae2-8d04-aeebafdda9d7",
+ "id": "bundle--feaa58fb-1e6e-4717-a146-eb15a8a7ed2e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json b/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json
index 2e8f8d4c23..bf35f09cf8 100644
--- a/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json
+++ b/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e578cc11-9624-4f37-989f-9696d539b1c4",
+ "id": "bundle--2c006a71-dfd5-436e-b0ea-17448edc4aca",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json b/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json
index 1b4c4a1c83..374c00d4bd 100644
--- a/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json
+++ b/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4dd69422-1024-4353-9fa2-8a5480b2cef6",
+ "id": "bundle--ec98283a-8e1d-4c08-a836-7c04fdb9e804",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json b/mobile-attack/relationship/relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json
deleted file mode 100644
index f9ad6141b6..0000000000
--- a/mobile-attack/relationship/relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--44159873-16d6-4f58-a79e-7bc1cd271b3e",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad",
- "created": "2023-03-20T18:55:03.385Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:54.960Z",
- "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json b/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json
index ebcbad1fd2..391112b1a7 100644
--- a/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json
+++ b/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2a96e0fc-9214-4509-9350-0d614dcb9857",
+ "id": "bundle--461d2ce4-311d-4f5c-9087-b5b074084aa7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json b/mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json
index de8976f2ce..a8efe47d9d 100644
--- a/mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json
+++ b/mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8b1d93e6-94eb-43f4-8d90-f3a802475f92",
+ "id": "bundle--aaedd13a-a239-488f-bcde-e59b2c295489",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json b/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json
index c0656c3412..76a11e69a2 100644
--- a/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json
+++ b/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3bc4ebeb-30d8-450d-ad32-ce1d9f345e01",
+ "id": "bundle--3dcbc2de-e51a-47a0-b515-5afb3ee8b9bb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json b/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json
index 9fb87a63d2..25f2e02161 100644
--- a/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json
+++ b/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a4385939-f4ce-4043-8124-3c535d44624b",
+ "id": "bundle--fd9c96f8-ac86-4003-9c1d-9f280515aecb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json b/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json
index 35277ccc69..289e8f195c 100644
--- a/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json
+++ b/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--97acdbf1-2525-4c74-886a-10e53a68dc1e",
+ "id": "bundle--81bfa444-4f20-4446-a390-0de3f32911ba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json b/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json
index 2d6665595a..23eede4996 100644
--- a/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json
+++ b/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2e0a78bf-db75-470a-bcf9-7002827eb9ec",
+ "id": "bundle--21d6077d-37bf-42aa-bf14-bac167e52ba1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json b/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json
index 5e5969b944..960bbb6e68 100644
--- a/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json
+++ b/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc8902f1-a985-4edc-b1e5-9b07e1d26186",
+ "id": "bundle--86bff900-6706-49e1-b291-be797baaa294",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json b/mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json
index aaccc7095e..7f2650cc56 100644
--- a/mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json
+++ b/mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3d60be79-1fee-4690-898e-9496213150c0",
+ "id": "bundle--cccfe904-219b-4fda-890f-c743b781cfa8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json b/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json
index 12fd37ca86..f2af8852ca 100644
--- a/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json
+++ b/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b2a71204-9b82-4b23-809a-77461d988370",
+ "id": "bundle--22addb55-f26f-44f1-8694-f6d9f9318038",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json b/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json
index 253735e583..88da6a8b01 100644
--- a/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json
+++ b/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ce15d73e-3225-4843-a7a8-be102def577f",
+ "id": "bundle--98f0ae86-683e-4d7a-a393-162430e34f3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json b/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json
index 6ddc5ad4cf..7d9dea224f 100644
--- a/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json
+++ b/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cd7918db-e006-4e1c-874d-c2314151500e",
+ "id": "bundle--8e4cc02d-9385-4be8-b53a-b5e411435b6e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json b/mobile-attack/relationship/relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json
deleted file mode 100644
index 32367927ab..0000000000
--- a/mobile-attack/relationship/relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--1348ca55-3faf-4d04-8e2c-64ee0aa6c43b",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b",
- "created": "2023-03-20T18:41:56.287Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:46:57.583Z",
- "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json b/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json
index e61e75d5e3..9da0545203 100644
--- a/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json
+++ b/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f412abdb-49d5-4eee-b6c1-9ff49601b9c1",
+ "id": "bundle--5f043891-4154-4d69-86ca-a5eb8e432021",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json b/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json
index ab44a22476..90523bde00 100644
--- a/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json
+++ b/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--00c1a6f0-65ed-4429-862c-7caeddc124e1",
+ "id": "bundle--b8aa5ed4-2c9c-4317-9166-0369b754981f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json b/mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json
index 03ed6e3ecb..0d6a4ae0d5 100644
--- a/mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json
+++ b/mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f839798c-47d4-4b01-81b3-62720519068b",
+ "id": "bundle--34ab7195-ba4f-4d4d-9b98-9cfce4b789ec",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json b/mobile-attack/relationship/relationship--0d7b3afd-51af-410c-8859-1fbe70e2e971.json
similarity index 51%
rename from mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json
rename to mobile-attack/relationship/relationship--0d7b3afd-51af-410c-8859-1fbe70e2e971.json
index d3cc969998..765c307ea5 100644
--- a/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json
+++ b/mobile-attack/relationship/relationship--0d7b3afd-51af-410c-8859-1fbe70e2e971.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--08705638-cda8-415b-975f-239cf2cbd1b2",
+ "id": "bundle--3f6e8745-c015-4912-b228-3330790edfc0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--0291c9d5-8977-420d-8374-b786e3095a73",
- "created": "2023-03-20T18:49:53.204Z",
+ "id": "relationship--0d7b3afd-51af-410c-8859-1fbe70e2e971",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:39.649Z",
- "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json b/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json
index 57aa785466..4ff2d93dec 100644
--- a/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json
+++ b/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--61764f3f-7c67-4f8f-8190-b764f5b6e9ee",
+ "id": "bundle--c11fd624-75f5-42ea-a7a6-9ba01abf55b7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json b/mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json
index 30d63c38cb..dbf37686bc 100644
--- a/mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json
+++ b/mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d290d007-2aad-45b3-8465-b2b670bc5c5d",
+ "id": "bundle--5bac9cac-aaba-4cd9-903d-aa657d77e881",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json b/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json
index 0574725490..4c23fd7186 100644
--- a/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json
+++ b/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c12307a-5216-4ff2-85bd-8b6e08ef96e0",
+ "id": "bundle--8f22567c-e65d-4b9c-9c68-258983259234",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json b/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json
index b837f612d3..777d24fb53 100644
--- a/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json
+++ b/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ee3a7d59-a9f4-456c-b8b3-007e3320f673",
+ "id": "bundle--e66b89e4-ec9f-40f8-a199-95b28d2a494f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json b/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json
index 5680aa723b..93360890dc 100644
--- a/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json
+++ b/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1e052843-b7df-43a6-8c07-c138176c387a",
+ "id": "bundle--6935cfad-bf53-421b-a1f4-b0c24b577cb6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json b/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json
index 047c43587d..854814c3f6 100644
--- a/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json
+++ b/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4819b4dc-9f0e-4dff-966c-95a4c416b90d",
+ "id": "bundle--b6e04cb5-c26c-4b8d-adcb-79a65fd5bd43",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json b/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json
index e6b3dbfc4d..c66c03c2e7 100644
--- a/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json
+++ b/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b2e9bb7f-196d-4fc3-8c32-3aef550413f6",
+ "id": "bundle--de1f6961-21bd-48ad-9b89-5d6793288103",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json b/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json
index 53cf9603ac..9f97094b8b 100644
--- a/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json
+++ b/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--abc961b9-0004-49f6-9524-6a458bfd7f2c",
+ "id": "bundle--d1a1813a-8cbd-402b-b1a7-667506a0598b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json b/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json
index 68d869a84b..d0e94ffe52 100644
--- a/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json
+++ b/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ee0df286-076d-4a0e-920b-89ee19312bd2",
+ "id": "bundle--8c24486e-c28f-4d3f-8a0e-063b80233cb3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json b/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json
index 4b0fc50c63..9528b631fe 100644
--- a/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json
+++ b/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5ef90512-5925-4272-a8f6-9aac0a2d3add",
+ "id": "bundle--73ddaa9f-d7f6-4f64-9409-38e21a07d958",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json b/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json
index b61341f635..dbcf5eab79 100644
--- a/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json
+++ b/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--86f85cd8-034f-49c1-a21c-6a066da6f284",
+ "id": "bundle--dc543193-406d-405a-a129-322fbde905eb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json b/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json
index f2be26f5c6..8fb9ba17ad 100644
--- a/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json
+++ b/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2ac4c970-3fe0-405e-8779-7855e51d400e",
+ "id": "bundle--0319e1db-bcc8-443e-a94f-464430880e21",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1016d630-94c2-4826-8612-cb1beac51512.json b/mobile-attack/relationship/relationship--1016d630-94c2-4826-8612-cb1beac51512.json
new file mode 100644
index 0000000000..01f3d20baa
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1016d630-94c2-4826-8612-cb1beac51512.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--b12d2036-b0cc-4123-a42e-0098a651b586",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1016d630-94c2-4826-8612-cb1beac51512",
+ "created": "2025-09-18T14:44:08.887Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:44:08.887Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has used HTTP POST requests for communicating with its C2 server.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json b/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json
index 4b8ed9b6ce..6f1017b4c4 100644
--- a/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json
+++ b/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--236070c7-6c3e-42ba-a994-e568761be1c2",
+ "id": "bundle--da083f1e-4202-40af-a2cd-759349d08eaf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json b/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json
index f2d8877fd2..5a783226f6 100644
--- a/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json
+++ b/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--36b740d0-fcf7-4761-bfcb-c5b3038dd0c3",
+ "id": "bundle--2f74e6f9-4568-4f96-8465-fbe5174a17ff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json b/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json
index 6bada93001..f49165740a 100644
--- a/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json
+++ b/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18cf5198-a9a5-43ea-9f09-4877975ea7f8",
+ "id": "bundle--d4e959ff-2712-47ce-8c41-578f07380dcc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json b/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json
index 6006003559..3d02883da7 100644
--- a/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json
+++ b/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eecb01cf-6349-40ef-865d-0efcf4d3a3a8",
+ "id": "bundle--05def5c4-d3fe-4af9-a72d-d1f8315a2bf7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json b/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json
index c6b0e9779f..8e536f938e 100644
--- a/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json
+++ b/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fa8d1047-7c04-4b46-8fe9-b4f9827c803d",
+ "id": "bundle--cd89110c-896c-489d-bda2-f9a45f109c72",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json b/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json
index 9cc913b496..cd6720a210 100644
--- a/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json
+++ b/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fbbaba1a-623b-404d-8cb4-6b7f3a8c11f9",
+ "id": "bundle--e4a038b5-75f4-4439-8099-d41b34bbd209",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json b/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json
index b9cabdb6e6..ebd06b9b2e 100644
--- a/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json
+++ b/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e40f4b12-e38d-40dc-9ce9-29aa72378062",
+ "id": "bundle--3810eafd-101b-42b9-b14d-e7652382263e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json b/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json
index 5d4d2a34d1..c5a1326575 100644
--- a/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json
+++ b/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--38107f84-a836-42f5-bb6e-e42ded46caee",
+ "id": "bundle--a8743c44-dc5d-4cb0-8362-821ed46262df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json b/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json
index b5384b5951..bca08517e7 100644
--- a/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json
+++ b/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dd2e3bca-e114-457f-a5cf-8128986ef131",
+ "id": "bundle--b433df70-39b9-452d-a122-3be9c091c12d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json b/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json
index 25bc762116..cc0b33c3be 100644
--- a/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json
+++ b/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f2240667-60f6-4885-b9a5-d061779c0ea4",
+ "id": "bundle--5db44d77-13d4-4190-b362-7f6ef12bf39a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json b/mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json
index cabce2e5f1..86050cec98 100644
--- a/mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json
+++ b/mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca20b3ef-4783-4c9e-ae8e-e786a48a0246",
+ "id": "bundle--121319f8-d2c9-470f-b235-038bd4c4dddd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json b/mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json
index 8ab223bd12..a00e0cb593 100644
--- a/mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json
+++ b/mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--11ec8946-aa8a-4a5f-9d24-dc108a613039",
+ "id": "bundle--d74519b3-a124-4271-9ab4-84cc2ce448dc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--12006533-e26f-4168-9b1f-7fb3073a9938.json b/mobile-attack/relationship/relationship--12006533-e26f-4168-9b1f-7fb3073a9938.json
new file mode 100644
index 0000000000..aa7867db25
--- /dev/null
+++ b/mobile-attack/relationship/relationship--12006533-e26f-4168-9b1f-7fb3073a9938.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e2d0bc77-bd99-4ec9-864d-31655d301f8f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--12006533-e26f-4168-9b1f-7fb3073a9938",
+ "created": "2025-09-18T14:41:37.428Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:41:37.428Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected clipboard content.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json b/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json
index 686351ab59..6de915454e 100644
--- a/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json
+++ b/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--02e1412d-a746-41eb-aea6-22a5e281a25e",
+ "id": "bundle--dfc3561c-3842-45b3-92b0-634763ee42b4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json b/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json
index 78644bc143..8f777f7311 100644
--- a/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json
+++ b/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--420d440b-b7b5-499c-9df9-87225fc308ca",
+ "id": "bundle--99969ebb-63a9-4847-b3b4-2d11dc01daf4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json b/mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json
index a33775fe7c..1b203fbcb9 100644
--- a/mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json
+++ b/mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--308d96b5-e6fa-4894-ad65-c017fb0fedab",
+ "id": "bundle--ba8980eb-f799-4325-87f3-c108c9c1536d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1245bef0-5468-4e1e-9a7e-61d4019c9137.json b/mobile-attack/relationship/relationship--1245bef0-5468-4e1e-9a7e-61d4019c9137.json
new file mode 100644
index 0000000000..a3c2b1fc77
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1245bef0-5468-4e1e-9a7e-61d4019c9137.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--df84b5d8-88ce-4d00-b253-0c7d21412d6b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1245bef0-5468-4e1e-9a7e-61d4019c9137",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b",
+ "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json b/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json
index 2e3aeb06d6..63dfc39c0c 100644
--- a/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json
+++ b/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b548369-dede-4e0d-b3b5-c07f36e62c6f",
+ "id": "bundle--b138bd69-d796-4a74-bd6d-9dd7ea746f7f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json b/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json
index 3cb67ebdfa..d679d93632 100644
--- a/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json
+++ b/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b8de3b6c-41ce-4857-bd97-7111900055ba",
+ "id": "bundle--d5b650fd-f5a5-4244-9b66-59994e039fb9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json b/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json
index 88979f6db8..8fc7d69266 100644
--- a/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json
+++ b/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a044ee5f-e494-4514-af92-52c8c9809443",
+ "id": "bundle--b0343ebd-0616-4dd1-a311-414ed5fd3043",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json b/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json
index 99243e4fb0..3739ef1145 100644
--- a/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json
+++ b/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c77e9d1-52a9-48dd-9188-b1e1fec913d1",
+ "id": "bundle--fd54e710-05a9-4e5b-9894-7058e4e84b66",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--12852406-87df-4892-a177-e15e81739000.json b/mobile-attack/relationship/relationship--12852406-87df-4892-a177-e15e81739000.json
deleted file mode 100644
index 2e72c4d462..0000000000
--- a/mobile-attack/relationship/relationship--12852406-87df-4892-a177-e15e81739000.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b7b4721a-dacf-46c5-8759-1491e6543d11",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--12852406-87df-4892-a177-e15e81739000",
- "created": "2023-03-20T18:50:14.139Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:05.058Z",
- "description": "Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json b/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json
index b428270e77..1956ec136f 100644
--- a/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json
+++ b/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--63e67402-7da4-4ea1-8354-eafddadb15d2",
+ "id": "bundle--1599f89b-1992-4c6c-bc4d-8558a4b1c91a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json b/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json
index 4626359d98..efcf50f7d7 100644
--- a/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json
+++ b/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b501beb-43b6-401e-b04c-186edba7f3c9",
+ "id": "bundle--860018e1-c800-4b3f-9ff5-2da5635c9341",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json b/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json
index 614cb8c70a..fbb21fc2c3 100644
--- a/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json
+++ b/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--acbbd6b4-d715-42e8-a0ad-0f9b0617057a",
+ "id": "bundle--35c0f65f-e040-4ff2-a4a3-eb2860ad9fc7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json b/mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json
index 809a9b8fec..0217fb4bbc 100644
--- a/mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json
+++ b/mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b271bb77-f364-44c8-ba63-789b04cd3bce",
+ "id": "bundle--2d378358-0e77-4656-92e1-62825d986dfc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--12e68fcd-83d4-43a7-bf89-a2550ecfbed1.json b/mobile-attack/relationship/relationship--12e68fcd-83d4-43a7-bf89-a2550ecfbed1.json
new file mode 100644
index 0000000000..caecef10f3
--- /dev/null
+++ b/mobile-attack/relationship/relationship--12e68fcd-83d4-43a7-bf89-a2550ecfbed1.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--c17f4af7-375e-41ee-8c9c-dc9f85cf7ab9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--12e68fcd-83d4-43a7-bf89-a2550ecfbed1",
+ "created": "2025-08-29T21:57:41.933Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:57:41.933Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json b/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json
index 21091d544d..6ecf79a829 100644
--- a/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json
+++ b/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f87a824-46c7-473c-b622-a7e05bc4d05d",
+ "id": "bundle--64e15f73-ed6c-4436-89f1-b11c5c27fb02",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json b/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json
index 2e31cd7ea8..ab5f6f3ba0 100644
--- a/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json
+++ b/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7accc343-774a-4238-98a6-1851a500af71",
+ "id": "bundle--85f5647c-dd37-4f11-81b2-b73c5e8e54a8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json b/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json
index e22ff8ba14..bea2834ad1 100644
--- a/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json
+++ b/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5c55e505-e72e-4060-8e08-32b6c98b4b7f",
+ "id": "bundle--e75c8844-1830-4fe1-b5f8-4bb73bd0d2b4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json b/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json
index ff9cf62ca9..21de62dc67 100644
--- a/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json
+++ b/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f6ed5cec-6294-4d61-94f2-2eba406bf58c",
+ "id": "bundle--d11bbf41-3e0b-444b-a86f-f48ffb64a745",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json b/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json
index b201bb1186..6aa662b4c3 100644
--- a/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json
+++ b/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fd7d923f-f22c-4a16-975d-bb3b6e0ba392",
+ "id": "bundle--48090692-41b0-4cc4-b640-af59a826a606",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json b/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json
index aaa8502e1b..64fbb3a959 100644
--- a/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json
+++ b/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--05a08576-20ae-49f4-b5a9-eeaa0b31e30d",
+ "id": "bundle--f2ad20a0-ae9c-4a6a-a727-4882e37b151d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json b/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json
index eef643d875..8703e7598a 100644
--- a/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json
+++ b/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f33270b4-ef6f-41bf-8a82-5f525b82cd18",
+ "id": "bundle--6a573d7b-1c49-4048-9fcf-58bf1a459af0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cf696296-751a-41e5-a9b0-907c7b991b2a.json b/mobile-attack/relationship/relationship--136edce9-2bf4-4255-8f84-b10cd9aef143.json
similarity index 53%
rename from mobile-attack/relationship/relationship--cf696296-751a-41e5-a9b0-907c7b991b2a.json
rename to mobile-attack/relationship/relationship--136edce9-2bf4-4255-8f84-b10cd9aef143.json
index f490d03e98..bba71b94f1 100644
--- a/mobile-attack/relationship/relationship--cf696296-751a-41e5-a9b0-907c7b991b2a.json
+++ b/mobile-attack/relationship/relationship--136edce9-2bf4-4255-8f84-b10cd9aef143.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--7616c39b-2373-4baa-9b8d-5065b7eec472",
+ "id": "bundle--4d98c953-d170-434b-aa4b-3cf344c5e712",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--cf696296-751a-41e5-a9b0-907c7b991b2a",
- "created": "2023-09-22T19:14:54.719Z",
+ "id": "relationship--136edce9-2bf4-4255-8f84-b10cd9aef143",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:44.688Z",
- "description": "Application vetting services may detect API calls for deleting files. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1",
"target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--137ec7b1-8f78-4b03-8dec-f445800d36c1.json b/mobile-attack/relationship/relationship--137ec7b1-8f78-4b03-8dec-f445800d36c1.json
new file mode 100644
index 0000000000..6184115a7f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--137ec7b1-8f78-4b03-8dec-f445800d36c1.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--c34f0a57-b76c-4491-9cfe-ebba54c7bd58",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--137ec7b1-8f78-4b03-8dec-f445800d36c1",
+ "created": "2025-06-25T15:37:16.563Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:37:16.564Z",
+ "description": "After accessibility permissions are granted, [CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json b/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json
index 4e0492a5cc..b975fdc6e0 100644
--- a/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json
+++ b/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cc45016c-5b79-4971-b77d-774617420457",
+ "id": "bundle--cbe9843b-d51d-4fce-9b11-755b470676de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json b/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json
index c7429e3c3e..7f8e0d007d 100644
--- a/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json
+++ b/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fb88977c-52b7-4039-89ff-cb2a496059e3",
+ "id": "bundle--ecd6cfbc-62d8-406c-af7d-904f0580a6b8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--66fb8a34-9d48-4599-a56e-19b057380030.json b/mobile-attack/relationship/relationship--140bf67b-4650-44ab-a182-3abf6de1245d.json
similarity index 52%
rename from mobile-attack/relationship/relationship--66fb8a34-9d48-4599-a56e-19b057380030.json
rename to mobile-attack/relationship/relationship--140bf67b-4650-44ab-a182-3abf6de1245d.json
index 3df6f4cf72..0a3a363765 100644
--- a/mobile-attack/relationship/relationship--66fb8a34-9d48-4599-a56e-19b057380030.json
+++ b/mobile-attack/relationship/relationship--140bf67b-4650-44ab-a182-3abf6de1245d.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--68003ed0-0c19-42b8-90c4-714aa3f0682a",
+ "id": "bundle--357e5e7e-4dce-4568-85da-dd0d9da1856d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--66fb8a34-9d48-4599-a56e-19b057380030",
- "created": "2023-03-20T18:46:08.304Z",
+ "id": "relationship--140bf67b-4650-44ab-a182-3abf6de1245d",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:11.315Z",
- "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8",
"target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json b/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json
index 02bb7200ae..fadcf3cc7f 100644
--- a/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json
+++ b/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3f4a4874-4119-4a4a-bebe-ff45eff8e842",
+ "id": "bundle--0bf42991-3f4e-4c6f-9ef8-4a2adf41b43b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json b/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json
index 7d62032e93..8f69c1ddd9 100644
--- a/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json
+++ b/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--414f0bbf-5cc3-499d-893c-09eabb4ae66f",
+ "id": "bundle--88d39111-4a32-4b73-b6be-9d5aca8982fe",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json b/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json
index 7b793893c9..b70d33c308 100644
--- a/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json
+++ b/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3887467a-3cc8-40d9-91cb-b6ccf13af842",
+ "id": "bundle--48af0e70-02a4-42b7-9cbe-0b91e4a2afd3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json b/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json
index 3dd525157f..d11512ee51 100644
--- a/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json
+++ b/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4d67a8ac-f9b6-4585-8fa5-0cc1d30feeb1",
+ "id": "bundle--4f30508c-17c5-4e0d-850e-5768764a2726",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json b/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json
index fe60c6e8b6..b0b8b0ee42 100644
--- a/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json
+++ b/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6a88185c-000d-4360-b0b5-ed396e49a906",
+ "id": "bundle--0f0b4a77-485e-44a8-956f-51c5f66a9ab0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c89d6493-3f33-4568-ac77-ba13b206ae69.json b/mobile-attack/relationship/relationship--146159d0-e1cb-4260-995b-d5daad26455a.json
similarity index 50%
rename from mobile-attack/relationship/relationship--c89d6493-3f33-4568-ac77-ba13b206ae69.json
rename to mobile-attack/relationship/relationship--146159d0-e1cb-4260-995b-d5daad26455a.json
index 558e44003b..d52944aed3 100644
--- a/mobile-attack/relationship/relationship--c89d6493-3f33-4568-ac77-ba13b206ae69.json
+++ b/mobile-attack/relationship/relationship--146159d0-e1cb-4260-995b-d5daad26455a.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--028c6a46-f246-4361-85ad-066e4600222f",
+ "id": "bundle--bab9632d-71c5-4c70-9019-2a3a380cf36a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--c89d6493-3f33-4568-ac77-ba13b206ae69",
- "created": "2023-03-20T18:52:24.667Z",
+ "id": "relationship--146159d0-e1cb-4260-995b-d5daad26455a",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:31.823Z",
- "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3",
"target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json b/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json
index 3562035cfb..ce1ad89d93 100644
--- a/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json
+++ b/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--424e866b-ad51-466d-a24b-849c29519e37",
+ "id": "bundle--7ef8ca71-4ed0-493a-9ade-e9147f5a91f0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json b/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json
index 564e70dc06..0e7e4d29ad 100644
--- a/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json
+++ b/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--08da3bc9-8bd5-455f-8023-e66e2596d5ab",
+ "id": "bundle--b37b4538-f997-435f-b570-4008ffc25fbf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--592331d2-60a7-4264-b844-fbeb89b6386c.json b/mobile-attack/relationship/relationship--15059ed8-f2d1-4e51-8b65-048fd53edf44.json
similarity index 54%
rename from mobile-attack/relationship/relationship--592331d2-60a7-4264-b844-fbeb89b6386c.json
rename to mobile-attack/relationship/relationship--15059ed8-f2d1-4e51-8b65-048fd53edf44.json
index 7439d0c03c..0543509aac 100644
--- a/mobile-attack/relationship/relationship--592331d2-60a7-4264-b844-fbeb89b6386c.json
+++ b/mobile-attack/relationship/relationship--15059ed8-f2d1-4e51-8b65-048fd53edf44.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--3c35173b-93cc-453d-93d1-3fce294d97c7",
+ "id": "bundle--25950fd8-7458-4604-a150-087e25349f29",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--592331d2-60a7-4264-b844-fbeb89b6386c",
- "created": "2023-03-20T18:58:56.942Z",
+ "id": "relationship--15059ed8-f2d1-4e51-8b65-048fd53edf44",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:51.460Z",
- "description": "The user can view the default SMS handler in system settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json b/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json
index 76d0f08236..a76c7a5e2d 100644
--- a/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json
+++ b/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a80ee78f-d497-40c7-9ce3-ff8baf705360",
+ "id": "bundle--ebc86489-ffac-4821-ad9e-10cc7c5c4a68",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json b/mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json
index ed306c1b96..558855c1e5 100644
--- a/mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json
+++ b/mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e5dc987-e23f-4631-9102-9c41ce271e5a",
+ "id": "bundle--961f0999-6e09-4e32-82fd-760410a51791",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json b/mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json
index 9cb69a2623..5100813e7d 100644
--- a/mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json
+++ b/mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aafa30bb-4703-4f2e-84e1-ce309b264f3d",
+ "id": "bundle--0a3b9b6e-caef-4578-bc7b-1c48676998cd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json b/mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json
index 2716d4283b..2dba13ce40 100644
--- a/mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json
+++ b/mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f71dd913-f103-472e-9cb4-a230963e1c2a",
+ "id": "bundle--e99acbe1-7ca9-4ef2-b151-c416a4e864f8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json b/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json
index 0e6f28f8a4..8aaa1570b5 100644
--- a/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json
+++ b/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4a209a3e-dce7-416c-9c4c-c1187f9e0f92",
+ "id": "bundle--ae0ae9ee-8750-4aa4-94b2-5876fd00b316",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--681161b2-4e30-4d49-8524-6cc0d94585cb.json b/mobile-attack/relationship/relationship--157d2522-4fb0-4ea7-bed9-f64b3b2809b1.json
similarity index 52%
rename from mobile-attack/relationship/relationship--681161b2-4e30-4d49-8524-6cc0d94585cb.json
rename to mobile-attack/relationship/relationship--157d2522-4fb0-4ea7-bed9-f64b3b2809b1.json
index 1641da2b07..b996b6ee78 100644
--- a/mobile-attack/relationship/relationship--681161b2-4e30-4d49-8524-6cc0d94585cb.json
+++ b/mobile-attack/relationship/relationship--157d2522-4fb0-4ea7-bed9-f64b3b2809b1.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--9e8520bb-5a30-4845-b08d-6f4fa26d04b2",
+ "id": "bundle--781ce548-e397-4f3e-b83f-19863a9dceaa",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--681161b2-4e30-4d49-8524-6cc0d94585cb",
- "created": "2023-03-16T13:33:26.925Z",
+ "id": "relationship--157d2522-4fb0-4ea7-bed9-f64b3b2809b1",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:12.572Z",
- "description": "Many properly configured firewalls may naturally block bidirectional command and control traffic.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "source_ref": "x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713",
"target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json b/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json
index 5e4f3af002..3ee7c4adb5 100644
--- a/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json
+++ b/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--02417aad-3f89-410d-b3ce-3352f7f45bf5",
+ "id": "bundle--40f5f6e5-1d24-471f-a3e8-324c68c548d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json b/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json
index 653a536b39..36fd2a09c6 100644
--- a/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json
+++ b/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c61bddd4-7859-45e1-9d37-e53c653dbc95",
+ "id": "bundle--8f3254b8-a935-40ce-83bb-a97537452ecf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json b/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json
index 0dea22461f..104907ffe2 100644
--- a/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json
+++ b/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e7ffdcf5-2811-4098-9341-d3812d5f721a",
+ "id": "bundle--940a05b9-97ab-45ec-a660-7aa350c3b943",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1659ff92-3a84-4cc3-84dc-42dcc8a91dc4.json b/mobile-attack/relationship/relationship--1659ff92-3a84-4cc3-84dc-42dcc8a91dc4.json
new file mode 100644
index 0000000000..44c4991ac1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1659ff92-3a84-4cc3-84dc-42dcc8a91dc4.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--b94f2a9a-6527-44ea-91e7-31f16f173f5f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1659ff92-3a84-4cc3-84dc-42dcc8a91dc4",
+ "created": "2025-10-22T21:31:22.546Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T21:31:22.546Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has captured victims' credentials through predefined fake activities.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json b/mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json
index 211eca0485..8b14fb51cd 100644
--- a/mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json
+++ b/mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b37d4460-5ab5-4807-aaf9-7d94e1dc78ef",
+ "id": "bundle--b9c61999-1a54-4c42-bde2-ab461cd80ef5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json b/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json
index 37ee99ea84..5d1803f549 100644
--- a/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json
+++ b/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2f39d88-1b3b-4a64-8cad-1ba7cc37b515",
+ "id": "bundle--97ee5185-3d05-4050-a25a-acac0b76f785",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json b/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json
index ee4d82387e..8561744e02 100644
--- a/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json
+++ b/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6668e026-f31c-489a-8fc0-2b7485f93465",
+ "id": "bundle--8d67fcb7-c12b-4b15-b80d-08d9ce83b54d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json b/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json
index 0dc2cffbb0..5d1b1206e9 100644
--- a/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json
+++ b/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4d22f8b0-1227-4868-9057-f37ea8aced15",
+ "id": "bundle--095a94e0-abc4-4488-b923-ca1e368cec39",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json b/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json
index 35d499f717..ecd8ab3015 100644
--- a/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json
+++ b/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e3daf28a-1d2a-447c-bf49-079ff1d4ec8d",
+ "id": "bundle--83cb1197-2ed6-4c3b-a616-d09462ac225a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json b/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json
index a59b9641a3..39bacfbd00 100644
--- a/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json
+++ b/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--229acb0c-c454-40fb-aee1-789495638f89",
+ "id": "bundle--6256a703-5a97-4b41-85c2-65630a8895c4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json b/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json
index 6598278d82..9f9a88f1b5 100644
--- a/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json
+++ b/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b87d134-c18d-4a29-a0fb-aa907158f90d",
+ "id": "bundle--437baf21-9f1f-4a48-bea3-c4368ec524df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json b/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json
index 621ccd21e0..b656eb65de 100644
--- a/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json
+++ b/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9f51031e-18b8-42e0-934e-72901fdbeb18",
+ "id": "bundle--5c6fe7b3-02c9-4307-b509-f2c9bfb7f670",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json b/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json
index 6b5ed2b054..258d0ecfbc 100644
--- a/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json
+++ b/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--49bf9409-3e70-40b4-9e8b-2ecb07c88845",
+ "id": "bundle--8b177c66-b785-41e5-8e6b-d15767eb0c29",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json b/mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json
index f2a684bdda..55d90439e8 100644
--- a/mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json
+++ b/mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b317300f-9ffb-4156-9685-17d0bd9fb708",
+ "id": "bundle--a0ae154c-4740-4b2c-9b4c-b859a56b467f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json b/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json
index 035e87d5f5..a53a1b7632 100644
--- a/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json
+++ b/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--498bdddf-8cb8-4443-b54a-fe5c7221c685",
+ "id": "bundle--ee8fa38c-e679-483a-a80d-9578b7043dcb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--183edec4-71b8-4122-a81b-102256e5db13.json b/mobile-attack/relationship/relationship--183edec4-71b8-4122-a81b-102256e5db13.json
new file mode 100644
index 0000000000..fba469d98f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--183edec4-71b8-4122-a81b-102256e5db13.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--69ae9c0a-c371-47cb-999f-9700e445bdb8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--183edec4-71b8-4122-a81b-102256e5db13",
+ "created": "2025-06-16T17:28:01.768Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Cyble_Anubis_May2021",
+ "description": "Cyble. (2021, May 2). Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus. Retrieved April 24, 2025.",
+ "url": "https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-16T17:28:01.768Z",
+ "description": "After accessibility service is granted, [Anubis](https://attack.mitre.org/software/S0422) lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim\u2019s knowledge.(Citation: Cyble_Anubis_May2021) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json b/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json
index a2ab8eb69b..67bed5fd24 100644
--- a/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json
+++ b/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--36ef8dec-4ea8-4580-94fc-50edf742bcd7",
+ "id": "bundle--4710cbd8-dadc-437d-9cbd-3521d25aaae8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json b/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json
index e92278205c..662ac9cb89 100644
--- a/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json
+++ b/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0daa9fbc-273a-41b5-a80d-0e760f8d80aa",
+ "id": "bundle--bba0e7b3-a1e0-472b-9524-f69408e30d36",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json b/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json
index 887ec52ab5..5efac40fb0 100644
--- a/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json
+++ b/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0e9e6b70-bcd5-4443-9ef9-dc0df850168f",
+ "id": "bundle--32282448-b7e9-404c-bcb0-cd387c28dd80",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json b/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json
index d0dd5c9e90..d1a1747ef9 100644
--- a/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json
+++ b/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0cd16be4-c0f1-4e90-9b73-224fca797b60",
+ "id": "bundle--1a8ea97b-bfa0-4871-9a7f-1f160b2c393d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--370bf74f-7499-4d66-9626-a61926af8f84.json b/mobile-attack/relationship/relationship--18aae8e4-4bdd-42c2-bde6-88d678d080c5.json
similarity index 52%
rename from mobile-attack/relationship/relationship--370bf74f-7499-4d66-9626-a61926af8f84.json
rename to mobile-attack/relationship/relationship--18aae8e4-4bdd-42c2-bde6-88d678d080c5.json
index 140b767e07..145cf57994 100644
--- a/mobile-attack/relationship/relationship--370bf74f-7499-4d66-9626-a61926af8f84.json
+++ b/mobile-attack/relationship/relationship--18aae8e4-4bdd-42c2-bde6-88d678d080c5.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--953f479e-758e-4af2-8e2f-6b77d6c613eb",
+ "id": "bundle--9d49a54b-b31e-4f06-a82b-6fcc1f9e41d3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--370bf74f-7499-4d66-9626-a61926af8f84",
- "created": "2023-09-21T22:32:19.683Z",
+ "id": "relationship--18aae8e4-4bdd-42c2-bde6-88d678d080c5",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:57.068Z",
- "description": "Application vetting services may detect when an application requests permissions after an application update.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3",
"target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json b/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json
index 28d917009f..babdf18b31 100644
--- a/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json
+++ b/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf2fbbc7-6dca-4f2b-91b9-2ab9ba93622e",
+ "id": "bundle--4704046f-694d-4d63-b4c7-5b391530d609",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--18c212f3-8c21-427c-9654-ebffbf33fac7.json b/mobile-attack/relationship/relationship--18c212f3-8c21-427c-9654-ebffbf33fac7.json
new file mode 100644
index 0000000000..73ca34deac
--- /dev/null
+++ b/mobile-attack/relationship/relationship--18c212f3-8c21-427c-9654-ebffbf33fac7.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--42c1c5a5-2dbf-4ea0-be0e-994c53b138a3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--18c212f3-8c21-427c-9654-ebffbf33fac7",
+ "created": "2025-06-25T15:37:37.043Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:37:37.043Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has used the Accessibility Service to monitor when a wallet application has launched.(Citation: TrendMicro_CherryBlos_July2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json b/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json
index 7948fbee9a..34860cff6e 100644
--- a/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json
+++ b/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d787864d-0e70-47d7-8b00-e9823ad7636a",
+ "id": "bundle--a59ae4d6-1bbf-44a3-b59e-aad7b82ea8b1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json b/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json
index c54345ac5f..4dbd869374 100644
--- a/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json
+++ b/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--71b910a6-0286-4d64-8052-01055c39d45b",
+ "id": "bundle--4de28f27-43eb-4d21-93bf-99c8b64dd997",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json b/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json
index c567b60c78..96c0d5d1fc 100644
--- a/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json
+++ b/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9bd02902-a52f-4cbf-b4c5-b7f625d532ba",
+ "id": "bundle--e577546d-97d3-4e71-9a44-3f9ca60cc4dc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json b/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json
index a4ad689d6c..c98d9ec024 100644
--- a/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json
+++ b/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0b0f0008-07e1-4551-bafc-b69c694ae814",
+ "id": "bundle--b1999a09-da48-420e-b0b3-30f9520d9a64",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json b/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json
index 8647380b63..6a8c6c19c2 100644
--- a/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json
+++ b/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8a514c49-ad1f-4ef9-818d-248cf844e421",
+ "id": "bundle--60ff28b2-2429-4f96-ac4a-8e2264e5379a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json b/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json
index 0b4e707057..7179f7c2d9 100644
--- a/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json
+++ b/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--84d691ef-23fc-450c-ad6b-c7011034f1f4",
+ "id": "bundle--e856cf3b-ad12-44c2-a673-7d7345d0c71f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json b/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json
index 5a8848600a..85d8e5d658 100644
--- a/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json
+++ b/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dedfa273-d1e8-47fe-a27a-9703e5726e96",
+ "id": "bundle--102e74aa-7149-4f88-a1ab-b293d0430aeb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json b/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json
index bbbabd31d6..9c8b7b2f2e 100644
--- a/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json
+++ b/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--db628ca1-ebf5-4cce-93e3-a81d997ce7c9",
+ "id": "bundle--ddae8006-d8ac-4093-b17c-67dafee94c37",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dc7ef843-a073-4e23-b717-c505d4863b02.json b/mobile-attack/relationship/relationship--1a5d49ae-de04-4b05-98d2-73f6afdda0ae.json
similarity index 51%
rename from mobile-attack/relationship/relationship--dc7ef843-a073-4e23-b717-c505d4863b02.json
rename to mobile-attack/relationship/relationship--1a5d49ae-de04-4b05-98d2-73f6afdda0ae.json
index 4f1f5dc526..4bba3991ad 100644
--- a/mobile-attack/relationship/relationship--dc7ef843-a073-4e23-b717-c505d4863b02.json
+++ b/mobile-attack/relationship/relationship--1a5d49ae-de04-4b05-98d2-73f6afdda0ae.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--5f3bd00b-8aee-4183-8a84-98e8c7edde64",
+ "id": "bundle--a1ae2333-e474-40c1-b115-f3871ca636c2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--dc7ef843-a073-4e23-b717-c505d4863b02",
- "created": "2023-03-20T18:53:58.856Z",
+ "id": "relationship--1a5d49ae-de04-4b05-98d2-73f6afdda0ae",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:02.835Z",
- "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "source_ref": "x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5",
"target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0.json b/mobile-attack/relationship/relationship--1aa13495-1455-484a-9e9b-92b5d96be32c.json
similarity index 53%
rename from mobile-attack/relationship/relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0.json
rename to mobile-attack/relationship/relationship--1aa13495-1455-484a-9e9b-92b5d96be32c.json
index 43b24f6dc8..78d9dbb574 100644
--- a/mobile-attack/relationship/relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0.json
+++ b/mobile-attack/relationship/relationship--1aa13495-1455-484a-9e9b-92b5d96be32c.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--21558505-826d-4ed6-b35e-c4ddaca291e8",
+ "id": "bundle--a8a0ec0b-1a04-434e-aae2-158ca60a81b3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0",
- "created": "2023-08-14T16:33:56.635Z",
+ "id": "relationship--1aa13495-1455-484a-9e9b-92b5d96be32c",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:21.762Z",
- "description": "Many properly configured firewalls may naturally block command and control traffic.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "source_ref": "x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e",
"target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1aa58b60-1a3d-4e97-918a-4553985488e8.json b/mobile-attack/relationship/relationship--1aa58b60-1a3d-4e97-918a-4553985488e8.json
new file mode 100644
index 0000000000..7ccc4489ad
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1aa58b60-1a3d-4e97-918a-4553985488e8.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--ff56a160-849c-4eed-a9ee-25ec246a7604",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1aa58b60-1a3d-4e97-918a-4553985488e8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f",
+ "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157.json b/mobile-attack/relationship/relationship--1b53d214-9667-4dbc-8c82-1bc8d9cf4876.json
similarity index 53%
rename from mobile-attack/relationship/relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157.json
rename to mobile-attack/relationship/relationship--1b53d214-9667-4dbc-8c82-1bc8d9cf4876.json
index 87b914e605..414da34d13 100644
--- a/mobile-attack/relationship/relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157.json
+++ b/mobile-attack/relationship/relationship--1b53d214-9667-4dbc-8c82-1bc8d9cf4876.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--991ce0bc-24f9-44d8-a630-c8ec5f91901d",
+ "id": "bundle--2a803ae2-9ba0-478f-8ef9-f18aef16a8c1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157",
- "created": "2023-08-23T22:18:21.774Z",
+ "id": "relationship--1b53d214-9667-4dbc-8c82-1bc8d9cf4876",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:58.150Z",
- "description": "Network traffic analysis may reveal processes communicating with malicious domains. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "source_ref": "x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657",
"target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json b/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json
index 081159dfff..adf63cbcf8 100644
--- a/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json
+++ b/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--30099611-adb0-4bfe-9584-2a55648da22f",
+ "id": "bundle--08e30439-fb80-41c8-b363-f826467d54bb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee.json b/mobile-attack/relationship/relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee.json
deleted file mode 100644
index 04c17cc20c..0000000000
--- a/mobile-attack/relationship/relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--9de3c394-ee60-4013-89e2-31821b8487e4",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee",
- "created": "2025-03-14T17:59:16.502Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:17.172Z",
- "description": "The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json b/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json
index 9123b31760..038d848867 100644
--- a/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json
+++ b/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9d488d32-a27e-4a0b-ad72-440ec6d1b9bd",
+ "id": "bundle--d802b674-b61b-447b-b14b-f49fdb493744",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json b/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json
index b9b50f9530..6409220064 100644
--- a/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json
+++ b/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6aaf5be7-a39d-4976-a2ee-f1787e26048b",
+ "id": "bundle--6705e04b-2d16-4c82-8858-dc7346310527",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json b/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json
index fdadca4cc6..ffe1ba3108 100644
--- a/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json
+++ b/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9fc643bb-dec6-4148-be88-febed70abfdc",
+ "id": "bundle--85a27d70-5d43-4052-a40a-2cbc8708cfe4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json b/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json
index 88dc8d9299..be7d5b331a 100644
--- a/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json
+++ b/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e554000d-b580-4c66-8468-eea6e092f40f",
+ "id": "bundle--4e6d4e12-ef9d-495c-9eaa-d97e365916aa",
"spec_version": "2.0",
"objects": [
{
@@ -14,19 +14,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:18.039Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather cookies and device logs.(Citation: cyble_chameleon_0423) ",
+ "modified": "2025-10-08T20:13:22.345Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered cookies and device logs.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json b/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json
index a90d860fdd..a791969d14 100644
--- a/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json
+++ b/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--72da37b1-3caa-48cd-a73d-0d44ded2ae48",
+ "id": "bundle--1d303fad-f83c-4934-9472-98a269e3705f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1c307192-0358-4c0c-920e-0fc2d3e86889.json b/mobile-attack/relationship/relationship--1c307192-0358-4c0c-920e-0fc2d3e86889.json
new file mode 100644
index 0000000000..2a7de89b5e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1c307192-0358-4c0c-920e-0fc2d3e86889.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--8cc8d1dd-3c3c-4f1e-a5ce-42bb5e6cd359",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1c307192-0358-4c0c-920e-0fc2d3e86889",
+ "created": "2025-10-08T20:21:32.754Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:21:32.754Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json b/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json
index a4ead7fb82..f6f7b69e13 100644
--- a/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json
+++ b/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4413f2dc-7ef5-46dd-8fdf-36c6e6b84df6",
+ "id": "bundle--7355385b-5210-4f34-bc49-e41e93c95054",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json b/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json
index 84363c0b7c..2ca317f847 100644
--- a/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json
+++ b/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d32a0e9b-c3d0-4bbe-90ac-2caf952f51e2",
+ "id": "bundle--16b1ffbf-dcf4-4682-b96f-627138ef7726",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json b/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json
index b82b216730..3225de3550 100644
--- a/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json
+++ b/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50762957-7977-4276-96b4-e3c397055dcf",
+ "id": "bundle--6e3cd7e0-0135-49ce-98f4-6eb2e4b7e114",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json b/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json
index 4a76af1259..4f82ad7bd5 100644
--- a/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json
+++ b/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ae642ec1-a465-471e-a749-2d41771e0572",
+ "id": "bundle--224c72f1-f6d2-448d-8104-3582646e1ef2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json b/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json
index 2008bd56ad..1e0555e84a 100644
--- a/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json
+++ b/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--02743d60-9e47-45ef-849d-86887a5b6197",
+ "id": "bundle--db219c3e-8872-49ba-8dfe-9a571fe1fe6c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1cf04fb7-17a6-4424-a3f2-93f1b33d19cd.json b/mobile-attack/relationship/relationship--1cf04fb7-17a6-4424-a3f2-93f1b33d19cd.json
new file mode 100644
index 0000000000..c89e783cd8
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1cf04fb7-17a6-4424-a3f2-93f1b33d19cd.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e51c81c3-6080-43e1-8da4-dcfc5de300c3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1cf04fb7-17a6-4424-a3f2-93f1b33d19cd",
+ "created": "2025-10-08T20:14:00.607Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:14:00.607Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to control calls.(Citation: ThreatFabric_Chameleon_Dec2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json b/mobile-attack/relationship/relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json
deleted file mode 100644
index 6af0627ccf..0000000000
--- a/mobile-attack/relationship/relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--bd8837d5-725c-4554-a934-2cc8fe4165c7",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b",
- "created": "2023-08-07T22:15:34.550Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:19.816Z",
- "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json b/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json
index e48f999654..8e26a83106 100644
--- a/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json
+++ b/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aebb9213-e9f7-4979-8029-9d0c85e93600",
+ "id": "bundle--85d607cc-f06d-4c72-9c70-7ccd5baed488",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json b/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json
index 7328c581dc..61f7efd006 100644
--- a/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json
+++ b/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a30886d8-4d2c-46d6-ad09-58ae699bcf49",
+ "id": "bundle--b89d2c46-7638-4097-8dd9-9ac4ef20d9f7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json b/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json
index 83935f74a9..d3f4f2faa2 100644
--- a/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json
+++ b/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--76d2171c-631e-482f-9da6-97e312123053",
+ "id": "bundle--3748faba-2187-4019-b0dd-d5195132677b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json b/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json
index 5cebed47df..6ec93684c9 100644
--- a/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json
+++ b/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5421196d-1be8-489f-81c7-de8adaf8527c",
+ "id": "bundle--9e78c00b-2afd-4513-b009-f0c50805b697",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json b/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json
index 1ded2febf5..6fec50728a 100644
--- a/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json
+++ b/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9520b151-e2d1-4f0f-81e9-e678e37e6b54",
+ "id": "bundle--260b67b0-3e77-41b7-81e6-0e58b4b135f6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1e9f9600-7ba3-44ae-b704-0fc0bd6e243b.json b/mobile-attack/relationship/relationship--1e9f9600-7ba3-44ae-b704-0fc0bd6e243b.json
new file mode 100644
index 0000000000..2abeaafe09
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1e9f9600-7ba3-44ae-b704-0fc0bd6e243b.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--2a29c2fa-937d-41bf-ace4-8b144e23b545",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1e9f9600-7ba3-44ae-b704-0fc0bd6e243b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b",
+ "target_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json b/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json
index 704c0c4c6a..3fcab3e7c8 100644
--- a/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json
+++ b/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6a2623ae-8557-4708-aca7-b935404dd034",
+ "id": "bundle--c22eca22-291d-4ee5-9160-21db9bc70383",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json b/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json
index 728b022ec1..71d9e801e6 100644
--- a/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json
+++ b/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d35a0197-d36f-4b63-943c-ffb207e1db60",
+ "id": "bundle--6a2b4ff0-ff76-46be-87ee-30de70a99652",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json b/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json
index b29c1d6a6b..bbd7442e6a 100644
--- a/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json
+++ b/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5cbb2120-661b-40ae-91d3-28fb5b91fc5c",
+ "id": "bundle--e9f2e016-91ae-4827-97a1-ae2184b6a263",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json b/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json
index 08e943b527..0698d76727 100644
--- a/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json
+++ b/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d9dcd3b7-f137-4559-987e-33859357f565",
+ "id": "bundle--b5346a58-4b80-44ba-8cff-cec5cd6b8c7b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f35d6bf-c5e1-42bc-ba47-e06ee1a2e305.json b/mobile-attack/relationship/relationship--1f35d6bf-c5e1-42bc-ba47-e06ee1a2e305.json
new file mode 100644
index 0000000000..5efb99c736
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1f35d6bf-c5e1-42bc-ba47-e06ee1a2e305.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--313254d0-24e9-4a5e-8b27-0c2e70b7b415",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--1f35d6bf-c5e1-42bc-ba47-e06ee1a2e305",
+ "created": "2025-10-08T20:12:37.612Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:12:37.612Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json b/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json
index 218defc9c3..31a9e64692 100644
--- a/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json
+++ b/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9b602e1-696e-4591-a37a-d9c001dc2fae",
+ "id": "bundle--2e867f1a-32da-49fa-8689-ec284b2ca857",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json b/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json
index 4a0478dfb9..3486ad0631 100644
--- a/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json
+++ b/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--19cb1b73-0e4f-4d70-a09c-2dda8de161f2",
+ "id": "bundle--85cc793c-2cd4-4275-b0ef-4c488455355b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json b/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json
index edbd87cf8c..4c6db7fbae 100644
--- a/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json
+++ b/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b039641-27dd-4f8d-8d52-169a71235963",
+ "id": "bundle--5a5c3f1b-235c-416c-9a06-5faefb667401",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json b/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json
index f996d288e9..1205930074 100644
--- a/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json
+++ b/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--254ac46e-b40c-4f28-8d68-7ab1d22d7ce8",
+ "id": "bundle--1487ee05-9d05-4076-bfaf-fe7771bc296c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1f8f0021-6992-476c-ba1c-232542dc1633.json b/mobile-attack/relationship/relationship--1f8f0021-6992-476c-ba1c-232542dc1633.json
deleted file mode 100644
index c3891984bc..0000000000
--- a/mobile-attack/relationship/relationship--1f8f0021-6992-476c-ba1c-232542dc1633.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--a6545db2-a3ff-4a42-b799-572045d90a35",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--1f8f0021-6992-476c-ba1c-232542dc1633",
- "created": "2023-03-20T18:58:52.857Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:22.928Z",
- "description": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json b/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json
index fd30ac07a3..698df328f5 100644
--- a/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json
+++ b/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b40bdbb6-acc9-470d-9fd6-603b3b58111e",
+ "id": "bundle--43f87c9c-50a4-4eb7-9350-e789e65c43cb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json b/mobile-attack/relationship/relationship--2019d384-2aef-4c50-a1a6-0db411f68ba2.json
similarity index 50%
rename from mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json
rename to mobile-attack/relationship/relationship--2019d384-2aef-4c50-a1a6-0db411f68ba2.json
index 51f5dfdcce..b4fed3aa23 100644
--- a/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json
+++ b/mobile-attack/relationship/relationship--2019d384-2aef-4c50-a1a6-0db411f68ba2.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--0d4ae2f1-b601-4f2b-a75d-0b0bdc3d55aa",
+ "id": "bundle--d0bd1cef-e091-481d-8550-648deffee729",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f",
- "created": "2023-03-20T15:55:32.395Z",
+ "id": "relationship--2019d384-2aef-4c50-a1a6-0db411f68ba2",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:46:47.897Z",
- "description": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764",
"target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json b/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json
index 4676bf145b..ff795429a8 100644
--- a/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json
+++ b/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ffe5c47e-f143-406b-b6a0-a08887c33b7f",
+ "id": "bundle--242319cf-ab67-4337-ae8a-c596decd90b3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json b/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json
index 367a87b821..0ae5ea16d8 100644
--- a/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json
+++ b/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--69234749-e46e-43da-9e6d-db80f01e6f9e",
+ "id": "bundle--ed35c38c-fea4-45dc-af88-bbe3ccb80f87",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json b/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json
index 6ba57b21c5..d4a0860adb 100644
--- a/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json
+++ b/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b962fdb7-f7f3-42ea-988f-df502dda0150",
+ "id": "bundle--d325ae2f-cbd5-4cc3-8005-581f850e20c6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json b/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json
index cfa83abb23..c307a60bf2 100644
--- a/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json
+++ b/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2a22e8b3-4855-43ef-88f3-d0dfa9934d0b",
+ "id": "bundle--af273dd7-d124-492d-a163-12fbd7025598",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json b/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json
index 29b312614d..21741622ee 100644
--- a/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json
+++ b/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3218b99d-eecf-4d64-b464-e378bf19ea6e",
+ "id": "bundle--b0c59329-3777-46f0-a019-db4cd6988793",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json b/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json
index 686922a170..8456bfe38b 100644
--- a/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json
+++ b/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dadb0db5-ad00-4fcf-8d6b-404950bea37a",
+ "id": "bundle--637bb546-671e-4665-9a40-f69422cbfbe5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json b/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json
index 30c25291d3..99d2695f01 100644
--- a/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json
+++ b/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f76a564-2a22-48d5-8c81-ee8f1a23e3ef",
+ "id": "bundle--e63bf87f-7d72-49f3-8bb9-147baa96a58b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json b/mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json
index 0154f8d3f1..7cdd4d8068 100644
--- a/mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json
+++ b/mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f1f82dbf-79a9-48a0-8274-f44312924981",
+ "id": "bundle--5c2be88c-891c-43fe-be77-d65da7ac851a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json b/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json
index d1bbf623a7..0237f2e5a8 100644
--- a/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json
+++ b/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cdede76b-632c-4295-8260-4eb2234e013b",
+ "id": "bundle--17872e0e-ae2d-4d10-a2d4-e1e86b3d1107",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json b/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json
index b2d5989c32..3974344d65 100644
--- a/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json
+++ b/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2e7c9581-c343-46d3-85ab-20c8f1ad928d",
+ "id": "bundle--1447484f-ac6e-4fc7-afda-5c3aa242161e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json b/mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json
index 33b5b29253..098abafe93 100644
--- a/mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json
+++ b/mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--67380bc6-88d9-4d31-a60c-071425fdad90",
+ "id": "bundle--be8fcaa4-e6c4-4495-b21a-b7805255767a",
"spec_version": "2.0",
"objects": [
{
@@ -10,6 +10,21 @@
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
+ {
+ "source_name": "CrowdStrike Scattered Spider JUL 2025",
+ "description": " Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.",
+ "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/"
+ },
+ {
+ "source_name": "Check Point Scattered Spider JUL 2025",
+ "description": "Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025.",
+ "url": "https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/"
+ },
+ {
+ "source_name": "Mandiant UNC3944 May 2025",
+ "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations"
+ },
{
"source_name": "Mphasis SS_SIM_Swap Apr2024",
"description": "Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.",
@@ -19,14 +34,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:25.798Z",
- "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SIM swapping to maintain persistence on mobile carrier networks and SIM cards.(Citation: Mphasis SS_SIM_Swap Apr2024) ",
+ "modified": "2025-10-14T21:25:32.275Z",
+ "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SIM swapping to bypass MFA and to maintain persistence on mobile carrier networks and SIM cards.(Citation: Mphasis SS_SIM_Swap Apr2024)(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Check Point Scattered Spider JUL 2025)",
"relationship_type": "uses",
"source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
"target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json b/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json
index 19a716aa68..16e434f976 100644
--- a/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json
+++ b/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1108894e-1ca5-4dd8-97c5-bf3ce7e9bd97",
+ "id": "bundle--24b0fce3-0397-48d0-a0b8-a5043b10af9d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json b/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json
index 8bf68cbc9a..e25e9ea3ef 100644
--- a/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json
+++ b/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c2a6bc9e-ec9b-429c-b294-a57070c5c721",
+ "id": "bundle--cebfb00a-4912-468a-880e-07d8efedbc6e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json b/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json
index 11e336d35a..dbb3e0eda5 100644
--- a/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json
+++ b/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5bbb1a7a-864d-4f58-b666-d58c5d229b19",
+ "id": "bundle--61b3ffaa-1999-48ff-87c0-9b2ba222a6c2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json b/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json
index b0525a3106..7ef92d15db 100644
--- a/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json
+++ b/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b7a98df6-7148-4968-858e-fe768cf41d62",
+ "id": "bundle--eb204c79-898c-4d7c-b421-162b607616f3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json b/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json
index 12fbf0491d..1519c445aa 100644
--- a/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json
+++ b/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a9fbb06b-4a43-4214-afa0-fbc857ca8e47",
+ "id": "bundle--118bf48d-dae2-4b7a-b99d-3d97c4dd1a02",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json b/mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json
index abb6b1d57b..940a75e35c 100644
--- a/mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json
+++ b/mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d7207824-6f18-4242-9e3c-41da79e361b7",
+ "id": "bundle--703e2257-d270-4fe6-8dc2-e7fa90df0136",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--226d2f3c-5d28-4599-9373-d3001f4c4b55.json b/mobile-attack/relationship/relationship--226d2f3c-5d28-4599-9373-d3001f4c4b55.json
new file mode 100644
index 0000000000..b958dad250
--- /dev/null
+++ b/mobile-attack/relationship/relationship--226d2f3c-5d28-4599-9373-d3001f4c4b55.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e0f0a6dd-cf9e-4370-baad-b0c2f13ac30e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--226d2f3c-5d28-4599-9373-d3001f4c4b55",
+ "created": "2025-09-18T14:38:43.084Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:38:43.084Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json b/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json
index cdac1604c6..b4cf1d38e8 100644
--- a/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json
+++ b/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bce8597c-808b-49bb-8130-34bfa2185187",
+ "id": "bundle--7045f57a-ffa0-4bf4-acd3-5ba4c43d4e8a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json b/mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json
index fb7df68637..a05f4cefe3 100644
--- a/mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json
+++ b/mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8703cbcb-470b-43c1-82a2-f81cc4d3ff6b",
+ "id": "bundle--39b739be-014a-4060-875c-4612645a6f1c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json b/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json
index b788719598..9a5eda9d60 100644
--- a/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json
+++ b/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--209997a3-f995-44a5-a138-8123e1ac8c60",
+ "id": "bundle--0ef0e84d-c097-4b5d-8597-a91861304e0b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json b/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json
index 031d0925ad..b73cdb4677 100644
--- a/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json
+++ b/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--065c1ec4-ca3f-454b-9aa2-449282f6e46c",
+ "id": "bundle--da5b5eb6-9998-4bb7-824c-dc4d0be80e70",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json b/mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json
index 0be044f11b..8166484808 100644
--- a/mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json
+++ b/mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--af31bb46-f7d9-469b-93f4-50f94d37e14f",
+ "id": "bundle--c9b38eb8-4b8d-459f-8614-18edb14a777f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json b/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json
index 087d8a6ad5..c2bb8d260b 100644
--- a/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json
+++ b/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16f3bb81-5579-42c1-97f6-2603287502d8",
+ "id": "bundle--7c47bfda-26ad-4cc9-86ed-80838499416b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json b/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json
index 1b95d7fd6e..9e853395e6 100644
--- a/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json
+++ b/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cfcaf45c-9033-47e8-9ec9-2e96a89292cc",
+ "id": "bundle--972a3def-e803-46c9-895a-045f3940b46b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2305ceb7-f237-42bb-9a45-e245d8f82cde.json b/mobile-attack/relationship/relationship--2305ceb7-f237-42bb-9a45-e245d8f82cde.json
new file mode 100644
index 0000000000..894555df25
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2305ceb7-f237-42bb-9a45-e245d8f82cde.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--1e106d2d-b1cd-4afa-9776-63e0c51f4777",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--2305ceb7-f237-42bb-9a45-e245d8f82cde",
+ "created": "2025-06-25T15:36:59.718Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:36:59.718Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has obtained a list of installed cryptocurrency wallet applications.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json b/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json
index 6bcdd159f8..45e6cea991 100644
--- a/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json
+++ b/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--635494c4-36a8-4c68-88fe-7c179a437821",
+ "id": "bundle--cf3e46a3-1f19-4bde-8fd7-c99c6f529122",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json b/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json
index 02f36b69f2..075da0dfc5 100644
--- a/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json
+++ b/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e441b9b1-8095-40c0-aff4-8166ac5848fe",
+ "id": "bundle--18b79ef3-c0ed-462f-ab84-6e501e715bf1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json b/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json
index a14f860421..ab686ae237 100644
--- a/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json
+++ b/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5d11363d-e0a0-4316-8f32-0be3abbf985f",
+ "id": "bundle--a34a3baf-bfc4-4ede-a3c1-419a7ce29359",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json b/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json
index 74768b475b..c543363c5d 100644
--- a/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json
+++ b/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--57d76b7b-af77-488b-8504-37faafdad557",
+ "id": "bundle--2a84dd80-0437-4005-b3a2-ed70f40cc76c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json b/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json
index 34839c1923..17b7ba2366 100644
--- a/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json
+++ b/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4e5d6ed1-ca2f-4197-873b-09557943dc4c",
+ "id": "bundle--40347365-7d1b-4697-946f-ec71a5363adb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json b/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json
index a88c7fb567..5b08e0976a 100644
--- a/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json
+++ b/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c66577ce-e5bf-4586-ae5e-5b5a9c3d9d5e",
+ "id": "bundle--bee32f37-1db3-4395-bea1-0730491ce6a0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--23f4525e-adc8-42bd-bcaa-0373442553aa.json b/mobile-attack/relationship/relationship--23f4525e-adc8-42bd-bcaa-0373442553aa.json
new file mode 100644
index 0000000000..f467f5e980
--- /dev/null
+++ b/mobile-attack/relationship/relationship--23f4525e-adc8-42bd-bcaa-0373442553aa.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--92cc3e9d-56e5-4a85-8642-d279d82f731d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--23f4525e-adc8-42bd-bcaa-0373442553aa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e",
+ "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json b/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json
index 93403feb64..6c5f572cc3 100644
--- a/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json
+++ b/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--836ad721-ed9b-4914-9d45-4430c551bd01",
+ "id": "bundle--cf737cb5-5d28-4ab3-8328-9b7983427965",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2421a94b-d71a-4c37-b5b0-3e12a92d8167.json b/mobile-attack/relationship/relationship--2421a94b-d71a-4c37-b5b0-3e12a92d8167.json
new file mode 100644
index 0000000000..8223130363
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2421a94b-d71a-4c37-b5b0-3e12a92d8167.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--534be0ff-3fa7-4652-962a-fc319cc7c3c7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--2421a94b-d71a-4c37-b5b0-3e12a92d8167",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5",
+ "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json b/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json
index 8f34075c2e..d0bd0e4255 100644
--- a/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json
+++ b/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b8b7fd4-dced-42fc-8640-e5c8afca3184",
+ "id": "bundle--3fe62a85-c319-4904-875d-1d93750f55f7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json b/mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json
index eb41f4200b..2ec886f872 100644
--- a/mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json
+++ b/mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cff24a5f-0ddd-432e-bb10-fbed36b59499",
+ "id": "bundle--0a043a8d-30d6-4161-acf4-c168ba4c580c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json b/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json
index c0a66ec7a0..1d7ac77def 100644
--- a/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json
+++ b/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16bdcfc5-0151-41fe-89f0-a9da138a8b22",
+ "id": "bundle--ddfc8a83-b32b-4eea-8245-79a95d503462",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json b/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json
index e88e5c5ad9..18a32f1f9b 100644
--- a/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json
+++ b/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2768d5c-9043-43db-ba86-c67faece4135",
+ "id": "bundle--a00d4b70-3b3c-4f4c-86a5-c308a3a84da6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json b/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json
index 5bdd80a354..30bb9f2da4 100644
--- a/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json
+++ b/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a546e221-3c62-461c-8afb-837d6d47fa3d",
+ "id": "bundle--29f01b9e-bcf9-4840-a457-a82e8a5e10dc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--24db9a56-c868-43b7-a20c-99c6ff60ba62.json b/mobile-attack/relationship/relationship--24db9a56-c868-43b7-a20c-99c6ff60ba62.json
new file mode 100644
index 0000000000..eb1dd6256c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--24db9a56-c868-43b7-a20c-99c6ff60ba62.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--e8bb0e2d-1dc1-4d42-b3fa-75ec2103d2ed",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--24db9a56-c868-43b7-a20c-99c6ff60ba62",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5",
+ "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json b/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json
index 4b02db2bee..ce64020fc8 100644
--- a/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json
+++ b/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9df67c51-dce5-4a94-923d-2f9d8d7ada19",
+ "id": "bundle--ad500f37-c2b1-4e07-b1bf-dd2613f25271",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json b/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json
index ca0ab0a100..cc7a8b2477 100644
--- a/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json
+++ b/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--acd23cdd-902a-49d2-8d9d-e2717e87ec8d",
+ "id": "bundle--70470bb9-216d-443b-a9fd-46cfd2808ce8",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:31.749Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download HTML overlay pages after installation.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:58:08.241Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has downloaded HTML overlay pages after installation.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
diff --git a/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json b/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json
index d2f16f74ef..848e433002 100644
--- a/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json
+++ b/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f4553ba6-0d39-490f-8322-43c0bc495f26",
+ "id": "bundle--a66407f8-a02b-4c5a-87a8-d347e6c96739",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json b/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json
index ed476da50d..8239b9dffe 100644
--- a/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json
+++ b/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--17efcb11-83f6-48d3-802d-51455238bf03",
+ "id": "bundle--b3ec3634-950a-4d54-b477-dd7ace4f3ed9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json b/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json
index 5c41c463e5..9fc103720b 100644
--- a/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json
+++ b/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3c4499b9-e2cf-4c56-90c1-678cd735d626",
+ "id": "bundle--166c3645-de9f-4738-8ef8-70b82a23d893",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json b/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json
index 6643f290de..5aa4e98488 100644
--- a/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json
+++ b/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8a52c641-ba02-4456-b309-155a272ee9ca",
+ "id": "bundle--6e9fddf2-b36b-4a7d-90a1-bdcc4a380512",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json b/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json
index 8ba031bacf..049f897c32 100644
--- a/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json
+++ b/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--46712567-76bd-47a2-b19e-d8d35f821ebd",
+ "id": "bundle--4c65ed45-c2ce-4bf2-848c-075ab4c413a4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json b/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json
index d2fec1cb21..1c9fb3c54c 100644
--- a/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json
+++ b/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--244ed0e6-69e5-443d-9a09-9d3e8dbcba47",
+ "id": "bundle--48169c5d-82d2-469f-bcf8-283c07f04597",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json b/mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json
index e09e1b2d33..c10bb2b058 100644
--- a/mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json
+++ b/mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--35172333-cde3-4ce8-88e2-55355f1d6714",
+ "id": "bundle--4fed7f51-8c56-4508-a34a-bef3c99553db",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json b/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json
index 5ea2c28216..9648196bc6 100644
--- a/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json
+++ b/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e3c75206-1142-4c39-9a67-5c986dadccb1",
+ "id": "bundle--36ae8e85-6383-4b8d-8a0c-f07bf27ea0fd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de.json b/mobile-attack/relationship/relationship--26a97b10-7344-4365-8169-c9ec735fda73.json
similarity index 52%
rename from mobile-attack/relationship/relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de.json
rename to mobile-attack/relationship/relationship--26a97b10-7344-4365-8169-c9ec735fda73.json
index 7ad0442f4c..cf024d89b1 100644
--- a/mobile-attack/relationship/relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de.json
+++ b/mobile-attack/relationship/relationship--26a97b10-7344-4365-8169-c9ec735fda73.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--744f4d29-e146-42a6-a26c-f5e05a727161",
+ "id": "bundle--ca50c2ea-e972-4200-ba1a-35f6e0305e0b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de",
- "created": "2023-03-20T15:57:00.953Z",
+ "id": "relationship--26a97b10-7344-4365-8169-c9ec735fda73",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:19.593Z",
- "description": "The user is prompted for approval when an application requests device administrator permissions.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "source_ref": "x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc",
"target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json b/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json
index 192cb7c246..a0198a1bb9 100644
--- a/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json
+++ b/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f0b46074-61f8-44ce-9632-50b23cb1c7b2",
+ "id": "bundle--9f4fd95e-9e4e-4398-b04a-fb3de50459e1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json b/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json
index f008c31bb9..0fede39cc4 100644
--- a/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json
+++ b/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0b868ec5-19fb-4883-afb5-0f088b65e0af",
+ "id": "bundle--ed97a65f-21d3-45a3-92ee-677c930ff71a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json b/mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json
index 1529306f88..d85779189e 100644
--- a/mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json
+++ b/mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5f511ac8-2415-4fff-8d92-7a91420daee3",
+ "id": "bundle--08e42380-a231-42da-9907-7a63cf628660",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json b/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json
index ccaed88857..227c9d8b5d 100644
--- a/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json
+++ b/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--10bc22d8-4373-4310-b282-64cf7e4a9f15",
+ "id": "bundle--9d9ab8e7-09c8-487c-8589-5bf261dcf920",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json b/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json
index b224e9a409..4a1c97ec50 100644
--- a/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json
+++ b/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--472e93fc-3151-4da8-afce-98a7f4c3c6dd",
+ "id": "bundle--d0580af8-1765-426b-b768-2d3c76e803cc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json b/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json
index 5ac55d6d3b..5cb1c963ac 100644
--- a/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json
+++ b/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--11d9c798-240c-460c-b604-321b8fcfc106",
+ "id": "bundle--357ae771-266c-4120-ae7a-251f9db2f255",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--27490b14-8044-408a-8c6a-6d8427eb78ff.json b/mobile-attack/relationship/relationship--27490b14-8044-408a-8c6a-6d8427eb78ff.json
deleted file mode 100644
index 4787c2f700..0000000000
--- a/mobile-attack/relationship/relationship--27490b14-8044-408a-8c6a-6d8427eb78ff.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--3d6674de-a024-47c5-aba2-eff419615ca0",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--27490b14-8044-408a-8c6a-6d8427eb78ff",
- "created": "2023-03-20T18:44:26.233Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:35.083Z",
- "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json b/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json
index d343737b88..c84d2494cc 100644
--- a/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json
+++ b/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5fc82c5c-4619-4afc-8d51-0aeaf821b160",
+ "id": "bundle--6e4ea6c9-fc16-4ad5-b0ab-18b7b5d570af",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json b/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json
index 8142ec074b..4141e88427 100644
--- a/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json
+++ b/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--788f4dc7-dacc-4395-a9b2-220af8f41d47",
+ "id": "bundle--8c5ad2f6-d9fc-4032-955a-30d859eac12c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json b/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json
index 69138cb3c5..da8fc46a12 100644
--- a/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json
+++ b/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ece29b8e-399a-4965-a940-ede45aa84384",
+ "id": "bundle--fea411ee-4ea7-473d-a9f8-45252a7c14d5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json b/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json
index 3fe5d2b2f6..0741295ee8 100644
--- a/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json
+++ b/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--147ce31a-53b5-46cc-a08a-e8c7e929241c",
+ "id": "bundle--3c3c6631-a52b-4b45-9f12-000dbc4ba84c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json b/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json
index d1ff09e900..c6ca731aca 100644
--- a/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json
+++ b/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--96fdc92d-b3e5-4844-bda1-144916b45d85",
+ "id": "bundle--9bf68807-8aea-4787-9c6c-00fa90a2f12a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--27cb4c94-c84a-4420-b213-442e4907d8e7.json b/mobile-attack/relationship/relationship--27cb4c94-c84a-4420-b213-442e4907d8e7.json
new file mode 100644
index 0000000000..132593265c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--27cb4c94-c84a-4420-b213-442e4907d8e7.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--5fe852db-421f-47f6-817a-2af7f8d6dc2b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--27cb4c94-c84a-4420-b213-442e4907d8e7",
+ "created": "2025-10-08T14:37:36.242Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:37:36.242Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s contact list.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json b/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json
index 05c1321992..91c666c8ec 100644
--- a/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json
+++ b/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df2b5066-0200-43ba-aa86-4520b83a5899",
+ "id": "bundle--cf4d10cf-106b-481a-a29d-e5487bda385b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json b/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json
index f9b25945d7..85d0a72cd0 100644
--- a/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json
+++ b/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b765865-15b7-4142-b156-c3f23166b2eb",
+ "id": "bundle--8403b10c-9f68-4c2d-a4df-a0bfe27c549d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json b/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json
index 2e971b856c..cd11d1207a 100644
--- a/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json
+++ b/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a42baa15-81fc-4700-934a-8fdb72f10917",
+ "id": "bundle--ffc0b268-22f1-426f-9114-42811bc8eaff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json b/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json
index 8666a8c852..b171612c31 100644
--- a/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json
+++ b/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fcec0060-920c-4f76-8bed-aae9435c5868",
+ "id": "bundle--51558993-536e-42de-9710-708158d76209",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json b/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json
index 81ad2ef565..60f08b3861 100644
--- a/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json
+++ b/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--193a35b9-7846-4924-89eb-730d551a8e0e",
+ "id": "bundle--52178e42-ec69-4786-9faa-8606abdcbf1c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json b/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json
index 84562033ea..efbf8a3cea 100644
--- a/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json
+++ b/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6629050-9b2b-42a3-9933-dc1d7419321c",
+ "id": "bundle--7e70302d-8045-4a49-9284-6a3cddffd174",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json b/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json
index f54e26b836..c4360ddbd3 100644
--- a/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json
+++ b/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4be97df-d001-4330-bebe-02cf2e2c4b62",
+ "id": "bundle--84ee4c0e-e68c-402a-bc60-fb62691aa622",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--292ea094-7278-4f69-9bb6-64a8aaa72e33.json b/mobile-attack/relationship/relationship--292ea094-7278-4f69-9bb6-64a8aaa72e33.json
new file mode 100644
index 0000000000..53d36cc107
--- /dev/null
+++ b/mobile-attack/relationship/relationship--292ea094-7278-4f69-9bb6-64a8aaa72e33.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--e21c6586-36b6-4d2f-b500-a55628476e67",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--292ea094-7278-4f69-9bb6-64a8aaa72e33",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9",
+ "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json b/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json
index 919c33d3e5..59ca906d2d 100644
--- a/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json
+++ b/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4d576416-b1a8-4881-b2c5-e97dcf196cc4",
+ "id": "bundle--fb71da4d-9d73-48b5-882e-9745731da498",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json b/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json
index d1547055be..13e3f6a06e 100644
--- a/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json
+++ b/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--297690d2-c23e-4a3f-af2f-fd2ef60a0d3e",
+ "id": "bundle--b4bbac6b-26c8-42a8-9ab8-6fc2333e4a11",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json b/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json
index a571a4dd9c..851e1387e5 100644
--- a/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json
+++ b/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c6322b64-d80c-4232-9786-27b7757d7455",
+ "id": "bundle--370f9464-2486-4e6f-ae98-06b3335c15e1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json b/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json
index 0a77a6bdc5..404e28e1b9 100644
--- a/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json
+++ b/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--52f854db-4266-4c37-ab6f-2c2cda0092bf",
+ "id": "bundle--067384b7-ed08-482e-9de9-7708f0409f87",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json b/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json
index 8c8fa26233..a66f2b0b08 100644
--- a/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json
+++ b/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--579b7f8f-9795-4787-802c-a5a947e63558",
+ "id": "bundle--8dba8337-4957-478c-b6eb-38eb08d66c6a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json b/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json
index 7b47e95a3b..f1795ea298 100644
--- a/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json
+++ b/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c7dec82f-2034-4e90-9c58-7b7fe895e23c",
+ "id": "bundle--bdf5847a-23fc-4a78-9266-724f3c5a7806",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json b/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json
index be464556b9..450a25ee59 100644
--- a/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json
+++ b/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e4ed6f41-3fd2-434a-b6f7-431a03467fb5",
+ "id": "bundle--4cb44b34-7365-494d-a722-82dab29919ba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json b/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json
index 2dded0cc58..98cff2c4b0 100644
--- a/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json
+++ b/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9ded36fb-7ac9-4eac-afd3-b6939a820642",
+ "id": "bundle--2f213390-c7e2-4904-947d-fbb81a8b9f70",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json b/mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json
index 146425cae8..5abdca1a81 100644
--- a/mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json
+++ b/mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0b5022a5-bc13-4438-943c-545f1304ac2e",
+ "id": "bundle--b1951993-b0ca-44cc-8621-4152932f9713",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2ac927da-8d38-4529-9534-0fc93ffb2faf.json b/mobile-attack/relationship/relationship--2ac927da-8d38-4529-9534-0fc93ffb2faf.json
new file mode 100644
index 0000000000..9b0e980092
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2ac927da-8d38-4529-9534-0fc93ffb2faf.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--ad5363c9-7221-4898-987b-31e5b18ca0b7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--2ac927da-8d38-4529-9534-0fc93ffb2faf",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json b/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json
index 2f4424ef46..717a745ad8 100644
--- a/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json
+++ b/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4fc5050a-4f64-4e55-94ff-7a908f8df73b",
+ "id": "bundle--f166604a-8b81-47b0-afa1-5f36213fb3b7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json b/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json
index e9207c7824..f1e2478b48 100644
--- a/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json
+++ b/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--748b0096-1a84-4dcf-8128-120f0b3fd584",
+ "id": "bundle--2f5eef5d-be08-4845-80df-a409aeb47ec7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json b/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json
index 1c2291a753..d47bebfebd 100644
--- a/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json
+++ b/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef51d408-f8d1-4cf1-b0d5-de35c5cc799b",
+ "id": "bundle--8e8fa2c7-3e00-40c6-8063-b3aebbc66718",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json b/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json
index d4a92abef2..198d07306f 100644
--- a/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json
+++ b/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ee415ca4-a242-4419-97f4-acefee11b204",
+ "id": "bundle--a910c2d6-d928-40aa-a48e-322a951c44e8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json b/mobile-attack/relationship/relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json
deleted file mode 100644
index dff3aea8a7..0000000000
--- a/mobile-attack/relationship/relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--31972203-dfee-4138-be85-1e444ffaf985",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7",
- "created": "2023-03-20T18:55:33.546Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:40.646Z",
- "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json b/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json
index 950c276638..9edef2848a 100644
--- a/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json
+++ b/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--79492504-ff4a-41d1-b4e9-9f4e99710a9a",
+ "id": "bundle--a58fbc2c-b44a-4616-9b5c-58400c0d21a7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json b/mobile-attack/relationship/relationship--2ba3af4e-97d8-45e8-93e0-8fa857944edd.json
similarity index 51%
rename from mobile-attack/relationship/relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json
rename to mobile-attack/relationship/relationship--2ba3af4e-97d8-45e8-93e0-8fa857944edd.json
index b666f59ca5..01565d9fbd 100644
--- a/mobile-attack/relationship/relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json
+++ b/mobile-attack/relationship/relationship--2ba3af4e-97d8-45e8-93e0-8fa857944edd.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--238af8d9-6aca-4689-a34b-dc28bfe87b1e",
+ "id": "bundle--510343ed-a621-41e2-b838-5a127b9c87e3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a",
- "created": "2023-03-20T18:53:35.012Z",
+ "id": "relationship--2ba3af4e-97d8-45e8-93e0-8fa857944edd",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:17.932Z",
- "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "source_ref": "x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d",
"target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json b/mobile-attack/relationship/relationship--2bdb3316-10c5-4aa5-95e0-dc7c5ccae432.json
similarity index 60%
rename from mobile-attack/relationship/relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json
rename to mobile-attack/relationship/relationship--2bdb3316-10c5-4aa5-95e0-dc7c5ccae432.json
index 5c18d9a51a..25e491909f 100644
--- a/mobile-attack/relationship/relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json
+++ b/mobile-attack/relationship/relationship--2bdb3316-10c5-4aa5-95e0-dc7c5ccae432.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--34ac4623-a858-4a17-92b4-c7eb763e15f4",
+ "id": "bundle--c34b2dec-4b55-470e-9406-a6b8f8e6895a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059",
- "created": "2023-03-20T18:51:23.032Z",
+ "id": "relationship--2bdb3316-10c5-4aa5-95e0-dc7c5ccae432",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:32.433Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "source_ref": "x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69",
"target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json b/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json
index 0c56f05efc..80be46ca09 100644
--- a/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json
+++ b/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f0b78f39-5619-4b3e-ab9d-bc7557a77e40",
+ "id": "bundle--459514a2-116b-4b59-89a1-3ace6ceb69f7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json b/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json
index 5f3ada33cd..323cf41fd5 100644
--- a/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json
+++ b/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--12063b45-43b3-4fa4-af22-82bc9b3e3a1e",
+ "id": "bundle--0b5f502f-6100-49d6-a499-c751d6aa60e5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json b/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json
index 6b349359a7..dbe53e7537 100644
--- a/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json
+++ b/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--abb51a6f-2869-4f11-8e3b-88eff27fa33b",
+ "id": "bundle--50611b29-6de8-45b0-85c3-82d8657e99d3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json b/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json
index d6aab5f83b..e1c7dae38f 100644
--- a/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json
+++ b/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da0c2dfd-6ccb-45d6-82d0-a0651de5457a",
+ "id": "bundle--8563ff99-8ff1-4dac-87bc-5d2848c81923",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json b/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json
index e372bc4da5..af0f607dd1 100644
--- a/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json
+++ b/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fa68dfa6-1be4-4225-8bed-525c517f0a71",
+ "id": "bundle--ef303fed-98d7-4434-a17f-e85e6727e868",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json b/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json
index 0c69fdd5ae..b628ca3148 100644
--- a/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json
+++ b/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--52ffdbc7-53b7-4b72-8f1b-1655b41cce44",
+ "id": "bundle--1aa50a92-c0ab-4eee-83cd-1b3c6590ae8c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json b/mobile-attack/relationship/relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json
deleted file mode 100644
index 95cfda30bd..0000000000
--- a/mobile-attack/relationship/relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--a8955d95-743f-4f9c-b992-73c21995488d",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07",
- "created": "2023-03-20T18:54:25.458Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:42.533Z",
- "description": "The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json b/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json
index 50efb3b1c3..e2dd2923d4 100644
--- a/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json
+++ b/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d083bbc-22bf-4a6f-b6d9-d4f7200e2155",
+ "id": "bundle--a2134649-5489-4c77-8584-c7593bcc5cf1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json b/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json
index eb87f97e1c..81a430a5dc 100644
--- a/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json
+++ b/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--20b3a26e-addf-485c-80e4-09a7be1a3e52",
+ "id": "bundle--4f4a2fd0-35f0-48f8-b085-3e8c457838ef",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:42.965Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:59:17.428Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has performed system checks to verify if the device is rooted or has ADB enabled; if found, [Chameleon](https://attack.mitre.org/software/S1083) will avoid execution.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
diff --git a/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json b/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json
index e0926153f3..4eca809445 100644
--- a/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json
+++ b/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--27b4b0b2-3745-4384-8e31-67f500a7cd35",
+ "id": "bundle--5cc06d05-d43e-45ad-a7d3-d79391890338",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json b/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json
index 318e4ddf0b..eb669d5875 100644
--- a/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json
+++ b/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cfe0dd04-0c01-4e28-846f-60d2b642102c",
+ "id": "bundle--52845a29-b82c-480b-82ed-84754f1f7360",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2d6f830f-411c-48e5-8b7e-6d9e01244070.json b/mobile-attack/relationship/relationship--2d6f830f-411c-48e5-8b7e-6d9e01244070.json
new file mode 100644
index 0000000000..c3c3c0e980
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2d6f830f-411c-48e5-8b7e-6d9e01244070.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--5078062d-2e5e-40f4-9fdd-cd31661d32ad",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--2d6f830f-411c-48e5-8b7e-6d9e01244070",
+ "created": "2025-10-08T20:13:43.780Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:13:43.780Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used a SOCKS proxy.(Citation: ThreatFabric_Chameleon_Dec2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json b/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json
index c81aa61692..d8aecce01a 100644
--- a/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json
+++ b/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--92fed938-f9ac-4b6b-8e85-1b187d78b8d7",
+ "id": "bundle--8e6ccd22-ec88-48ec-a750-e24e2f13f606",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json b/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json
index 57e4d563b5..74b92c0b89 100644
--- a/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json
+++ b/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26879753-b052-4570-9698-638ccea7c60f",
+ "id": "bundle--bf9d3811-2966-4e2e-a495-e2c8dc7c00a2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json b/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json
index add64771cd..e6c4dd211e 100644
--- a/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json
+++ b/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9de9013-cab9-4bf0-af5e-8bb86fda5ecc",
+ "id": "bundle--7d32ab8d-8adf-4262-8c8d-820afc9523fe",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json b/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json
index 0fbc1fbd8b..5d6445f5ee 100644
--- a/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json
+++ b/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cdef9ba5-a704-4cdf-9462-221ffe8863cc",
+ "id": "bundle--fe1f035e-e515-442e-b1de-4f798b9a9f83",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json b/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json
index 5ae229367f..3f31fa6bb7 100644
--- a/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json
+++ b/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--25150911-31d2-47de-9576-bf7dcdd3cfad",
+ "id": "bundle--d13ccfdc-e43a-4fdb-ab79-c7ad53be5cc6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json b/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json
index 4268cabdda..5a7ab4f6c4 100644
--- a/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json
+++ b/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e96df1fd-5112-4df2-9b8a-77d67b1c5aae",
+ "id": "bundle--c56f6603-e8a2-4bd0-8ab2-e5e3b70f5835",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json b/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json
index 4e86c8efa6..3b519584c8 100644
--- a/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json
+++ b/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--abf57b69-e33a-42b6-85dd-d886ad468814",
+ "id": "bundle--f75f12bf-ada5-42a5-bf9e-b96ea086f1ab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json b/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json
index 0231f1e2d9..c5b4050bb1 100644
--- a/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json
+++ b/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--54079791-1e8c-4553-b17d-275590e718b6",
+ "id": "bundle--eb790d92-3f32-4406-a02d-4d01b9dd5a63",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json b/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json
index 8c395fbbd7..9f845a3976 100644
--- a/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json
+++ b/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5c296091-9d03-4b08-a670-ab136f5a94e0",
+ "id": "bundle--6badb836-d2b4-409a-ba2d-0b63502cefa8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json b/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json
index 80bc59ca28..56cd8a038a 100644
--- a/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json
+++ b/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2fcd8043-0b36-4e57-801c-3f9f7c5c95ac",
+ "id": "bundle--276b2f70-8803-4aa9-aab3-d4d4bed22733",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json b/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json
index 066ab459a9..dfe1d77aec 100644
--- a/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json
+++ b/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--34f2e865-9add-476b-9425-74305e2d1a2e",
+ "id": "bundle--3d86b368-1fb8-4ed8-8007-abf604acbb95",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2eb063cd-c8cf-4651-b849-454a55daff76.json b/mobile-attack/relationship/relationship--2eb063cd-c8cf-4651-b849-454a55daff76.json
new file mode 100644
index 0000000000..7fb2fa7cab
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2eb063cd-c8cf-4651-b849-454a55daff76.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--210ed3eb-782f-47d6-9f74-98440afe5b3f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--2eb063cd-c8cf-4651-b849-454a55daff76",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611",
+ "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json b/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json
index 0419cef853..32d075c094 100644
--- a/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json
+++ b/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--313f9f02-bd8e-4a10-9109-313634f7a520",
+ "id": "bundle--9a167dbd-8a44-4e49-b15f-e3104d27c2be",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json b/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json
index c3f658b841..974fc3e1ed 100644
--- a/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json
+++ b/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--671766a1-4d30-4a2f-a452-716cb5b6daa6",
+ "id": "bundle--b7e64aa7-186e-4e15-9a3b-0ed721ddf231",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json b/mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json
index eef73ac76a..0d08eb5601 100644
--- a/mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json
+++ b/mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f24b381c-ef6b-40dc-9554-71a81964911b",
+ "id": "bundle--6602042b-6655-4b03-ac6b-a367e5201bb7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json b/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json
index 0c18f5c9ec..ea4b51fb22 100644
--- a/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json
+++ b/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3a594bdb-2cb6-4f4d-a300-026b4ff0eda8",
+ "id": "bundle--9987293b-73cf-4b02-8041-cfd17b0b263e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json b/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json
index 97a1901f00..75e09e57ab 100644
--- a/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json
+++ b/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--109be766-ae11-48f1-8011-7c23620d1e67",
+ "id": "bundle--e7376b40-f463-44ad-ad49-d482077ea373",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2f63c5a0-db78-4f81-bbdd-46fccf06bf9c.json b/mobile-attack/relationship/relationship--2f63c5a0-db78-4f81-bbdd-46fccf06bf9c.json
new file mode 100644
index 0000000000..2e4e6e0f5e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2f63c5a0-db78-4f81-bbdd-46fccf06bf9c.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--27aef13d-e4e0-44ba-808c-908fbb93d49a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--2f63c5a0-db78-4f81-bbdd-46fccf06bf9c",
+ "created": "2025-08-29T21:59:48.642Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:59:48.642Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json b/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json
index 3e730dfc38..6b35a1b1cc 100644
--- a/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json
+++ b/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e48bb764-51e9-4ea7-a03f-dcf4a80298ab",
+ "id": "bundle--c220e6cc-55d7-4eff-a757-c1e529f1a0d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2f97c0cb-ec84-4b5d-ac2c-c3b1c9da2142.json b/mobile-attack/relationship/relationship--2f97c0cb-ec84-4b5d-ac2c-c3b1c9da2142.json
new file mode 100644
index 0000000000..0ef81c4a65
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2f97c0cb-ec84-4b5d-ac2c-c3b1c9da2142.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--1bf0b3f6-ada7-4801-b9ef-cca4818cf9e7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--2f97c0cb-ec84-4b5d-ac2c-c3b1c9da2142",
+ "created": "2025-09-08T16:32:57.240Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T16:32:57.240Z",
+ "relationship_type": "revoked-by",
+ "source_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7.json b/mobile-attack/relationship/relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7.json
deleted file mode 100644
index 386a071881..0000000000
--- a/mobile-attack/relationship/relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7b073ab6-5adf-484f-a80e-c0dccf12da2c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7",
- "created": "2023-03-15T16:26:04.949Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:47.221Z",
- "description": "The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json b/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json
index cf7e75f562..9c5e244f8e 100644
--- a/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json
+++ b/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--11f05f41-7471-411b-811b-7a0f218ff8ae",
+ "id": "bundle--95f51a43-1bf0-4740-a2e4-a48268e3e004",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json b/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json
index 4ae28e6bb7..7aafd8956d 100644
--- a/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json
+++ b/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8dcbda02-f854-4b5a-bd6e-d028b16cd2d0",
+ "id": "bundle--b7820273-3cee-494f-9971-39371ec8c523",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json b/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json
index e9a48e159e..1bf42fe42b 100644
--- a/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json
+++ b/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7116738f-4945-4adc-8576-9068cea7dd83",
+ "id": "bundle--0545f187-0cc2-4060-a5b4-a22e4217084b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json b/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json
index 281912274c..9b671f1b83 100644
--- a/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json
+++ b/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--05f271fa-e140-48ea-ae0e-32718f237f97",
+ "id": "bundle--14c3f2d5-2121-4710-bd01-fe1c8510e330",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json b/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json
index 3dba4f29e5..2d418d2c35 100644
--- a/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json
+++ b/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2cb4314b-02fe-497a-8b5b-118eab8a65d5",
+ "id": "bundle--46012b70-652a-41cf-92d5-7de7798c2104",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json b/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json
index 68d63a1b26..7e3c8f0f6a 100644
--- a/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json
+++ b/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8bdb51c6-9ce0-4089-bda6-b4e660eaf358",
+ "id": "bundle--8b6097c2-e89d-4508-94fd-23205ef15d94",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json b/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json
index 1c7160e2f4..28baef6745 100644
--- a/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json
+++ b/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a66f6400-acb5-48d0-b18d-dcd39702da78",
+ "id": "bundle--b204eb2d-af71-40cd-9660-4683295f24ef",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf.json b/mobile-attack/relationship/relationship--30d02956-90ed-4556-bf04-8494a6ce5f04.json
similarity index 53%
rename from mobile-attack/relationship/relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf.json
rename to mobile-attack/relationship/relationship--30d02956-90ed-4556-bf04-8494a6ce5f04.json
index 8ed8227339..7c4ce0bc46 100644
--- a/mobile-attack/relationship/relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf.json
+++ b/mobile-attack/relationship/relationship--30d02956-90ed-4556-bf04-8494a6ce5f04.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--a3ed158b-9f1a-4ed7-9a0f-6070a7efaebd",
+ "id": "bundle--ffecf2c3-0e0b-4445-bbf3-27a2dfc5c1ef",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf",
- "created": "2023-03-20T18:59:14.759Z",
+ "id": "relationship--30d02956-90ed-4556-bf04-8494a6ce5f04",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:09.234Z",
- "description": "Application vetting services can detect unnecessary and potentially abused API calls.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5",
"target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9.json b/mobile-attack/relationship/relationship--30ff0aa8-7931-4a1c-880a-3e72b62bbc29.json
similarity index 51%
rename from mobile-attack/relationship/relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9.json
rename to mobile-attack/relationship/relationship--30ff0aa8-7931-4a1c-880a-3e72b62bbc29.json
index be4c021cb8..ead5221995 100644
--- a/mobile-attack/relationship/relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9.json
+++ b/mobile-attack/relationship/relationship--30ff0aa8-7931-4a1c-880a-3e72b62bbc29.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--33353ea2-f7f6-43c5-bb5e-33e1b70d9c11",
+ "id": "bundle--010dd30e-4a8a-4303-a591-709dc0ee447c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9",
- "created": "2023-03-20T18:51:07.547Z",
+ "id": "relationship--30ff0aa8-7931-4a1c-880a-3e72b62bbc29",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:41.067Z",
- "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "source_ref": "x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6",
"target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json b/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json
index 482aba2658..1422f2a875 100644
--- a/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json
+++ b/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d5f383de-34c6-4e4e-adbf-5d4e9aa94cc0",
+ "id": "bundle--4ff3e781-7a46-4060-aa29-114e2283f1e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json b/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json
index 760875e390..1470f37d72 100644
--- a/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json
+++ b/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16fbbb95-4601-4936-90ee-898bfe7ff42c",
+ "id": "bundle--0e393df0-8b15-452c-ac72-97a5de85e6e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json b/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json
index cfc9c0f342..d2b46a9cbd 100644
--- a/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json
+++ b/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b633ac5-6516-4e38-b3d4-b4f2415563ff",
+ "id": "bundle--3de24a78-03a4-4a5e-ad28-2bd734573952",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json b/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json
index 93b6d49247..2524ddb2d8 100644
--- a/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json
+++ b/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0592e026-0905-4059-a033-e51386050e86",
+ "id": "bundle--efdfceb6-52c0-4478-84fa-6aa34929dac0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json b/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json
index 114551438d..70bbfe75dc 100644
--- a/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json
+++ b/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6cd7895e-0770-4ed9-8b2b-f4ddc4292a87",
+ "id": "bundle--f1b8dcdf-e884-4f8c-97f6-70bfb803072c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3237f5ff-b870-41a7-8448-6f6b387db61d.json b/mobile-attack/relationship/relationship--3237f5ff-b870-41a7-8448-6f6b387db61d.json
new file mode 100644
index 0000000000..17de7b8349
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3237f5ff-b870-41a7-8448-6f6b387db61d.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--80808062-d9d1-4dfb-8972-f893fcce60b2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--3237f5ff-b870-41a7-8448-6f6b387db61d",
+ "created": "2025-06-25T15:34:46.220Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:34:46.220Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has been distributed through the threat actors\u2019 Telegram group, fake TikTok and Twitter accounts, and YouTube videos.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5.json b/mobile-attack/relationship/relationship--3255ffee-496e-4ad2-b79d-ddaff4a31eba.json
similarity index 53%
rename from mobile-attack/relationship/relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5.json
rename to mobile-attack/relationship/relationship--3255ffee-496e-4ad2-b79d-ddaff4a31eba.json
index ffc4759898..62f40ad7ad 100644
--- a/mobile-attack/relationship/relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5.json
+++ b/mobile-attack/relationship/relationship--3255ffee-496e-4ad2-b79d-ddaff4a31eba.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--52d02411-60a5-4881-96ca-c56889978dd5",
+ "id": "bundle--92036bce-10cf-4611-8965-c197a456f9f0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5",
- "created": "2023-03-20T15:21:12.492Z",
+ "id": "relationship--3255ffee-496e-4ad2-b79d-ddaff4a31eba",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:30.051Z",
- "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d",
"target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json b/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json
index 1a54ceb17b..bb26212d0d 100644
--- a/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json
+++ b/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--943ef94f-4567-480c-920d-38406d928d1e",
+ "id": "bundle--0096cdde-fc9e-44e8-997b-d085f60dcb78",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json b/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json
index c9469bbd69..a13bfb9742 100644
--- a/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json
+++ b/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a24418e3-b2d0-48cc-baf6-5a975611ae44",
+ "id": "bundle--5720e63c-f1d4-46a6-84a8-988ae63154f7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json b/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json
index c8239ae288..17b04ddc4b 100644
--- a/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json
+++ b/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c72a846b-d714-4733-8109-5af2e97359fe",
+ "id": "bundle--b2439083-9cc5-4bfe-aeba-48998869f8e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--32a28692-0297-40b9-b853-4996cf5541ec.json b/mobile-attack/relationship/relationship--32a28692-0297-40b9-b853-4996cf5541ec.json
new file mode 100644
index 0000000000..606718509e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--32a28692-0297-40b9-b853-4996cf5541ec.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--7acefe04-1ed2-4e59-b106-f66cb8662017",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--32a28692-0297-40b9-b853-4996cf5541ec",
+ "created": "2025-10-08T14:42:19.577Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:42:19.577Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has captured photos from the device by taking control of the camera.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json b/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json
index ab77b49bcc..1e8c6b9c06 100644
--- a/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json
+++ b/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9833cbfa-4467-4236-84c3-f6e3aca0ca09",
+ "id": "bundle--07320fce-891c-44f2-8fdb-64f05d5799c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json b/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json
index 322873d456..980268a34a 100644
--- a/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json
+++ b/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a1f8bfe-c547-4452-bd80-4705f679ad54",
+ "id": "bundle--3e310234-a07b-4023-9dab-5ec00473d841",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--33329d7b-aa21-4c0d-a570-5e35e2e0cc9d.json b/mobile-attack/relationship/relationship--33329d7b-aa21-4c0d-a570-5e35e2e0cc9d.json
new file mode 100644
index 0000000000..d8f319522f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--33329d7b-aa21-4c0d-a570-5e35e2e0cc9d.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--cba295cc-430d-4fbe-afc2-96ad01ad1257",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--33329d7b-aa21-4c0d-a570-5e35e2e0cc9d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b",
+ "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json b/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json
index 550cf39b41..d31dcd9a91 100644
--- a/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json
+++ b/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--80ccad38-3625-4d92-8cef-42eb2c938c3c",
+ "id": "bundle--3283d97b-2fc8-4865-a97a-2945bf7c96f2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json b/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json
index 9486beb0de..0b5cc0897a 100644
--- a/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json
+++ b/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3dd808a5-64cd-4595-8595-36ac2bece489",
+ "id": "bundle--7ab40a12-986b-4263-b0e0-1193307d72a9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json b/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json
index 4c87d9eb36..0a50284ebf 100644
--- a/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json
+++ b/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--31b6ed2b-ff30-4ca1-af05-c358480cd3b7",
+ "id": "bundle--c2cc0184-4f37-4d89-91cf-8fc56cb49de0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json b/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json
index 07d17b8c95..92d6b46521 100644
--- a/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json
+++ b/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5c98702d-0b08-43f7-b5df-b9325f1a5170",
+ "id": "bundle--f069e751-87ce-42fa-b35f-481504275831",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json b/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json
index 6ef5cc10d3..39859047a1 100644
--- a/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json
+++ b/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--75da7915-1496-4015-85b9-cf3d0e5f5da7",
+ "id": "bundle--5b62f999-00e7-4be5-bd33-b10572273f64",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json b/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json
index 006a16c184..639b050390 100644
--- a/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json
+++ b/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab6756f7-d9f7-41ae-b8a3-d05548e2d5ac",
+ "id": "bundle--8e74c3a3-dafc-40de-bb56-469e816612c5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json b/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json
index 8199ed4744..b125a89ed6 100644
--- a/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json
+++ b/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f1c4cd46-876b-4b8d-9c1f-6a313e7e77ea",
+ "id": "bundle--3967d40c-16b9-4621-bcd9-af7b4f9d2524",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json b/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json
index 37393b0db0..2f9a0b453b 100644
--- a/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json
+++ b/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4244ee01-22df-467c-b71f-e1a12f679559",
+ "id": "bundle--6f16e234-3cd3-4f8d-892c-10549b3cbed8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json b/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json
index 2590f0cdf9..b237b84808 100644
--- a/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json
+++ b/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fab24f60-7e56-4fb8-a9e4-33c9fe70f55d",
+ "id": "bundle--78afdd62-e0cb-4dcf-b63b-10c4c83f9744",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json b/mobile-attack/relationship/relationship--34d5905b-486c-4ccc-969a-ef39905e9aff.json
similarity index 54%
rename from mobile-attack/relationship/relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json
rename to mobile-attack/relationship/relationship--34d5905b-486c-4ccc-969a-ef39905e9aff.json
index 9157eac307..dff7e8c0a6 100644
--- a/mobile-attack/relationship/relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json
+++ b/mobile-attack/relationship/relationship--34d5905b-486c-4ccc-969a-ef39905e9aff.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--b02e5b5e-6a7b-4585-98ae-00a8569f7236",
+ "id": "bundle--2ce66e98-bce8-4911-a8f4-7cd0f7f49eaf",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81",
- "created": "2023-03-20T15:45:44.000Z",
+ "id": "relationship--34d5905b-486c-4ccc-969a-ef39905e9aff",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:29.665Z",
- "description": "Mobile security products can potentially detect jailbroken devices.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34",
"target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json b/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json
index 4e542fcba4..eae20a5200 100644
--- a/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json
+++ b/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--02d4d78c-779e-4c98-bc15-8c93c473b09d",
+ "id": "bundle--264cee5d-bcfd-47f9-818e-32695a9fa583",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json b/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json
index a2cd5b0c7a..7a5b2a16c7 100644
--- a/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json
+++ b/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--537449a3-0de8-4312-9bff-952a49909fe8",
+ "id": "bundle--7868ed3f-5a9c-48f0-a427-767c7ec1f7ad",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json b/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json
index de675834e8..9efe2ce797 100644
--- a/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json
+++ b/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e9788729-a302-44ed-b2e4-4d1d443ed010",
+ "id": "bundle--601102f3-2181-473e-b461-560c411c0b50",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json b/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json
index 8fe9faa3ca..1145dfa4b0 100644
--- a/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json
+++ b/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de7c18fd-11b0-4d07-94ca-7a72c932486b",
+ "id": "bundle--d9ef0fb7-76fb-482b-a6b5-0f8dfea7fadc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3565140f-1570-494d-9d6f-91c9203ece69.json b/mobile-attack/relationship/relationship--3565140f-1570-494d-9d6f-91c9203ece69.json
deleted file mode 100644
index 25a0b67377..0000000000
--- a/mobile-attack/relationship/relationship--3565140f-1570-494d-9d6f-91c9203ece69.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--e4396846-a7c2-4634-9be7-5535d9c1f7cd",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--3565140f-1570-494d-9d6f-91c9203ece69",
- "created": "2023-03-20T18:52:29.821Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:54.977Z",
- "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json b/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json
index 695d18dcc8..7c3cfb34ea 100644
--- a/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json
+++ b/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--db472896-2dcf-4afb-881b-a978f90716b8",
+ "id": "bundle--cc1b96d2-3881-41be-80ff-d77b88b1c998",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json b/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json
index 583138c32a..6eb6f6fbf3 100644
--- a/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json
+++ b/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b53e9f0f-4b3d-4291-a194-b3f761ee5c95",
+ "id": "bundle--ed347b4a-b280-44bd-a393-b828452e8186",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:55.381Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can use HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:59:37.780Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has used HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
diff --git a/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json b/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json
index 9c965072a0..865d09ea11 100644
--- a/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json
+++ b/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--186a8f4f-dc39-459a-a2eb-63d4661ff8e7",
+ "id": "bundle--6165347c-f4d1-43cd-9122-8bae9e6f5e91",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json b/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json
index 92197412ac..387b6781dd 100644
--- a/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json
+++ b/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--65bddcfd-ee5b-4425-b7d2-bbbf5b4b3bf6",
+ "id": "bundle--938ea7c4-0de0-4321-91a7-111daf94fbc0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json b/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json
index 1c9ed12ad7..97d7bcbd77 100644
--- a/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json
+++ b/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--100edc2e-7f4b-431e-a34f-962f94479c22",
+ "id": "bundle--c18e496b-0db1-42da-a577-f65aec3fa0d2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json b/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json
index 4ea39b5e32..7fb4a12a1f 100644
--- a/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json
+++ b/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab8b35d9-ac70-441f-88d6-8158bb0cddd1",
+ "id": "bundle--864bf023-87e5-43ac-8e7d-92e3016d00c4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json b/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json
index 4e363e9dab..afe0af52b0 100644
--- a/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json
+++ b/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4344c3a-1142-474e-b022-9adb7f405929",
+ "id": "bundle--6b62fad3-f84c-44a1-ac9b-cdd339fe334c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json b/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json
index 895e6f0cec..bc60124637 100644
--- a/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json
+++ b/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b95bd95-aa32-440d-9c47-c627121c0026",
+ "id": "bundle--baa85128-12b4-42fa-8639-996e13b005fa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213.json b/mobile-attack/relationship/relationship--36874e30-f649-4e46-a4b9-195273b6df6e.json
similarity index 53%
rename from mobile-attack/relationship/relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213.json
rename to mobile-attack/relationship/relationship--36874e30-f649-4e46-a4b9-195273b6df6e.json
index 7457918217..cdcf4b97e8 100644
--- a/mobile-attack/relationship/relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213.json
+++ b/mobile-attack/relationship/relationship--36874e30-f649-4e46-a4b9-195273b6df6e.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--c13839b5-9f1c-4f3d-b807-347fd9fe9d19",
+ "id": "bundle--2a14bc01-3b9a-4f4a-b8b8-0e915ec7cc9d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213",
- "created": "2023-03-20T15:32:36.972Z",
+ "id": "relationship--36874e30-f649-4e46-a4b9-195273b6df6e",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:05.752Z",
- "description": "Application vetting services can detect malicious code in applications.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7",
"target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--36c71b5d-e453-488c-ae63-8fb063924c27.json b/mobile-attack/relationship/relationship--36c71b5d-e453-488c-ae63-8fb063924c27.json
deleted file mode 100644
index 8a757f6891..0000000000
--- a/mobile-attack/relationship/relationship--36c71b5d-e453-488c-ae63-8fb063924c27.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b9b57075-4b03-4798-aee2-d947037d01d2",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--36c71b5d-e453-488c-ae63-8fb063924c27",
- "created": "2023-08-10T21:57:51.879Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:47:56.853Z",
- "description": "The user can review available call logs for irregularities, such as missing or unrecognized calls.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json b/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json
index 5969e7e319..e18e79c3bd 100644
--- a/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json
+++ b/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--647af414-46c6-4e8a-a39a-3096ddb42d4b",
+ "id": "bundle--d0664018-884a-4f8e-94dc-bc508b521c70",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8244700e-6f96-463a-a9c3-810c489a2c60.json b/mobile-attack/relationship/relationship--3721782f-351b-430d-8667-df78ac3db541.json
similarity index 51%
rename from mobile-attack/relationship/relationship--8244700e-6f96-463a-a9c3-810c489a2c60.json
rename to mobile-attack/relationship/relationship--3721782f-351b-430d-8667-df78ac3db541.json
index de26c39938..f2c374d7dc 100644
--- a/mobile-attack/relationship/relationship--8244700e-6f96-463a-a9c3-810c489a2c60.json
+++ b/mobile-attack/relationship/relationship--3721782f-351b-430d-8667-df78ac3db541.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--aa1781c6-6b34-4389-8c62-a2809f6f9e11",
+ "id": "bundle--2b6ea370-3d0f-4cb1-bcd1-d5ec82715e85",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--8244700e-6f96-463a-a9c3-810c489a2c60",
- "created": "2023-03-20T15:20:24.554Z",
+ "id": "relationship--3721782f-351b-430d-8667-df78ac3db541",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:51.107Z",
- "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a",
"target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json b/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json
index 117056921d..3b5e2ffe64 100644
--- a/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json
+++ b/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9f6a5654-cbf2-4eee-be53-d4dde68c929e",
+ "id": "bundle--79d5f3ff-abf6-4280-a2ea-7b8c65b9ac16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json b/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json
index 485d7cf5f9..2da103c61b 100644
--- a/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json
+++ b/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3cd5ca57-2d59-4d7a-8eea-a602586bc48d",
+ "id": "bundle--22881f3f-6510-4fa7-83d8-e8f8302a7e75",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json b/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json
index 832877bb5a..55ca786ff7 100644
--- a/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json
+++ b/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0833a1e6-2293-4ab4-a7a3-d14104ab2d03",
+ "id": "bundle--3792ed0d-342e-412a-b0a9-b16f5d65677a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--375ead49-d7ac-4664-bd46-a266764cddc8.json b/mobile-attack/relationship/relationship--375ead49-d7ac-4664-bd46-a266764cddc8.json
new file mode 100644
index 0000000000..54355e65b9
--- /dev/null
+++ b/mobile-attack/relationship/relationship--375ead49-d7ac-4664-bd46-a266764cddc8.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--484d4836-2631-4447-ad27-4aee04fb99fc",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--375ead49-d7ac-4664-bd46-a266764cddc8",
+ "created": "2025-08-29T22:10:52.147Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:10:52.147Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has leveraged WebSockets for C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--37a6f20d-e739-43df-97fb-c39ae93b2725.json b/mobile-attack/relationship/relationship--37a6f20d-e739-43df-97fb-c39ae93b2725.json
new file mode 100644
index 0000000000..17abc88135
--- /dev/null
+++ b/mobile-attack/relationship/relationship--37a6f20d-e739-43df-97fb-c39ae93b2725.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--88645699-e945-483a-8212-e893fabd60cb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--37a6f20d-e739-43df-97fb-c39ae93b2725",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json b/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json
index c8a0ae6a8c..c0c2098c21 100644
--- a/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json
+++ b/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c8a78981-2b35-4787-b42c-ed1cf287cd6c",
+ "id": "bundle--aca287f1-4c11-460f-9236-12658fa730be",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c00031dd-0466-4fd2-9724-ab1c04232bad.json b/mobile-attack/relationship/relationship--37ee0a2d-bf61-4d71-98a4-6a9fbf28a85c.json
similarity index 53%
rename from mobile-attack/relationship/relationship--c00031dd-0466-4fd2-9724-ab1c04232bad.json
rename to mobile-attack/relationship/relationship--37ee0a2d-bf61-4d71-98a4-6a9fbf28a85c.json
index 71674878f2..c416aa034c 100644
--- a/mobile-attack/relationship/relationship--c00031dd-0466-4fd2-9724-ab1c04232bad.json
+++ b/mobile-attack/relationship/relationship--37ee0a2d-bf61-4d71-98a4-6a9fbf28a85c.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--a70529dd-9efa-4d57-abf5-5bfbaf4291d7",
+ "id": "bundle--dccffb73-4928-4e27-be76-851088f06f50",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--c00031dd-0466-4fd2-9724-ab1c04232bad",
- "created": "2023-03-20T18:44:40.722Z",
+ "id": "relationship--37ee0a2d-bf61-4d71-98a4-6a9fbf28a85c",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:19.380Z",
- "description": "Application vetting services can detect unnecessary and potentially abused API calls.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b",
"target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json b/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json
index 235fe8bd91..630ea872d7 100644
--- a/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json
+++ b/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1aad6116-5378-4e20-ad7a-624b176d627e",
+ "id": "bundle--d4c24a5a-f5ae-4859-ba06-4d553429a891",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:58.369Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can communicate over port 7242 using HTTP.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T21:59:58.825Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has communicated over port 7242 using HTTP.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
diff --git a/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json b/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json
index e83add5fea..c056f662ed 100644
--- a/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json
+++ b/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e845ca85-5af2-49c0-90e2-a826f7cf69d3",
+ "id": "bundle--71f83aac-973a-4dad-868a-1d5a87e8ec8d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json b/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json
index f80839df9b..bffe478c45 100644
--- a/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json
+++ b/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6545d16d-d6a7-423a-a749-219a123df319",
+ "id": "bundle--8a0f9a5e-3058-4e09-9ad1-50de5f134ed2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json b/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json
index 0b6a9189b7..b0930b9643 100644
--- a/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json
+++ b/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c7ca448c-8a04-40ca-a193-b937e228d6ec",
+ "id": "bundle--9c3ef971-a57d-46b9-b3ac-62e38c92f65d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json b/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json
index fae4bcb1fa..0c7ec5a12c 100644
--- a/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json
+++ b/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e3103aed-8ade-4c48-acd7-88da3c3562b1",
+ "id": "bundle--ccac6343-6632-4889-8a9d-8d8b0617b8ca",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json b/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json
index b2984dac1c..73ff9dec56 100644
--- a/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json
+++ b/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b3a08404-6e5b-4787-8ada-1ea35f359f63",
+ "id": "bundle--119b99c8-25a7-4640-bce3-52158a14eb9d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json b/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json
index 1476fcc9eb..d086c30668 100644
--- a/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json
+++ b/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3227165f-6e23-440e-b08b-089be554741e",
+ "id": "bundle--17008484-d044-4552-8a9c-8298805e7869",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json b/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json
index b7d2f28edd..9514177053 100644
--- a/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json
+++ b/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b1a922d-a8e3-4641-9de8-6b1051667f73",
+ "id": "bundle--0d5d142b-a5d2-41e4-9324-0963114ab442",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json b/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json
index 38f8893af9..1b408bce94 100644
--- a/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json
+++ b/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5a17e3ec-39ea-4fc9-9b6f-c69879088363",
+ "id": "bundle--a06c7065-0106-440d-9724-ec6ec50bc800",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json b/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json
index 494301830d..20ed11f94a 100644
--- a/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json
+++ b/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--986bd9c7-17a5-4ca8-8b4a-63a62732fd7d",
+ "id": "bundle--2989eca9-ce0c-42a7-b16e-b1e7f4d60553",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json b/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json
index 35a81185a0..8d224b7673 100644
--- a/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json
+++ b/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1ad32aaf-76cf-4053-b2cc-98416ca9136a",
+ "id": "bundle--3b8e3aed-e198-406f-9cde-5010d9692634",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json b/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json
index 24c1e51d08..4715b89fd9 100644
--- a/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json
+++ b/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--80ef694b-fa9f-4952-bc13-12bae2b7da96",
+ "id": "bundle--a113a174-9bd2-49a7-ab4c-d3cd2ebac92f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json b/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json
index 8a5a68369f..dbb6bda98f 100644
--- a/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json
+++ b/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--66999fd8-d9a7-414d-86fe-9026b4380497",
+ "id": "bundle--bbd5844e-0e22-4f94-9991-e7cddbdf551d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json b/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json
index 19a93e5fb0..d0c33d1875 100644
--- a/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json
+++ b/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--64556be2-241a-406c-ade3-e3fc82a66105",
+ "id": "bundle--6276671c-91ba-4a80-9b1e-89bdcf91f848",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396.json b/mobile-attack/relationship/relationship--39953612-a6e4-456a-9f9c-860dc5fed10b.json
similarity index 53%
rename from mobile-attack/relationship/relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396.json
rename to mobile-attack/relationship/relationship--39953612-a6e4-456a-9f9c-860dc5fed10b.json
index 875f316bd9..80e6405415 100644
--- a/mobile-attack/relationship/relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396.json
+++ b/mobile-attack/relationship/relationship--39953612-a6e4-456a-9f9c-860dc5fed10b.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--35cffc10-9aac-43b1-92cd-5c1ba2371dc8",
+ "id": "bundle--5fef69f8-7939-474a-8157-8927b1a1a298",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396",
- "created": "2023-03-20T18:40:12.814Z",
+ "id": "relationship--39953612-a6e4-456a-9f9c-860dc5fed10b",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:23.178Z",
- "description": "The user can view a list of active device administrators in the device settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de",
"target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json b/mobile-attack/relationship/relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json
deleted file mode 100644
index 00ee3e864d..0000000000
--- a/mobile-attack/relationship/relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b2e1638f-6c79-4c07-baa3-8beb4c8c86e0",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2",
- "created": "2023-03-20T19:00:26.780Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:01.559Z",
- "description": "Application vetting services could potentially detect the usage of APIs intended for artifact hiding.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json b/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json
index 3b05ddb124..47afbcc4dc 100644
--- a/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json
+++ b/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2ea4e872-1068-4c31-8108-a8dda7f45bc4",
+ "id": "bundle--ef66dc8f-94e0-421c-80a2-1b25fc07ae2d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3a13ea43-f3d7-4b12-93fa-65eb44d02b5e.json b/mobile-attack/relationship/relationship--3a13ea43-f3d7-4b12-93fa-65eb44d02b5e.json
new file mode 100644
index 0000000000..84a915b14b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3a13ea43-f3d7-4b12-93fa-65eb44d02b5e.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--dfed0237-67b5-45f6-8cbb-dd714bbdf667",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--3a13ea43-f3d7-4b12-93fa-65eb44d02b5e",
+ "created": "2025-09-18T14:39:35.445Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:39:35.445Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has exfiltrated collected data to the C2.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json b/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json
index a530530716..7eacd933da 100644
--- a/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json
+++ b/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a408ab16-fad7-4f37-8f89-0f0e98a4cfe4",
+ "id": "bundle--343e3c27-c18c-43dd-906c-d829bc5b4ac6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json b/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json
index 10b1f2c799..5f09db1a14 100644
--- a/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json
+++ b/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c35d7ec4-6c73-4c0d-8123-fd857684ae3c",
+ "id": "bundle--ad83a01d-adb5-4a13-abc9-ab111e2524f5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json b/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json
index 9c5c86d7d5..2f47c42579 100644
--- a/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json
+++ b/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28b22208-34d6-4422-a042-c0584fb3331b",
+ "id": "bundle--760c3bd0-bdc5-4f39-a091-3d35846f9b07",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json b/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json
index 832dfe549f..0fbbcbadce 100644
--- a/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json
+++ b/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--90da8900-99c3-46b9-b01e-1c03929fbfcf",
+ "id": "bundle--0e013014-eb40-4187-8c3d-891b7116cfb7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json b/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json
index 50a7d2da03..b2c552c727 100644
--- a/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json
+++ b/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5c99bc57-f3c9-4b98-8c24-11b81df2c144",
+ "id": "bundle--704acaa1-4308-457b-8380-4f8afb81185e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json b/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json
index 487126cd71..9193368983 100644
--- a/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json
+++ b/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--029c2a0f-7797-4740-85ce-730d940e4a83",
+ "id": "bundle--88a288c6-5c3a-4076-92f6-dda2ff651500",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3ac8d515-8b04-4502-b0fe-b8d7d9fc410a.json b/mobile-attack/relationship/relationship--3ac8d515-8b04-4502-b0fe-b8d7d9fc410a.json
new file mode 100644
index 0000000000..33d04d15cf
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3ac8d515-8b04-4502-b0fe-b8d7d9fc410a.json
@@ -0,0 +1,25 @@
+{
+ "type": "bundle",
+ "id": "bundle--0f1db1e7-5e99-4ac3-9323-96e9c19c6e33",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--3ac8d515-8b04-4502-b0fe-b8d7d9fc410a",
+ "created": "2025-09-17T14:58:52.937Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-17T14:58:52.937Z",
+ "description": "",
+ "relationship_type": "subtechnique-of",
+ "source_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json b/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json
index 14676c5df8..bbbd83aa16 100644
--- a/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json
+++ b/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--15314125-8e84-495a-9e9a-d6f7921060dd",
+ "id": "bundle--621b405b-a20b-435c-be9f-2d12e9a8cb86",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json b/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json
index 5d062c7b8b..8763c6ed27 100644
--- a/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json
+++ b/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--04167e25-8ddc-4b60-b5bd-c94462eb0fc5",
+ "id": "bundle--1fa37259-8fdd-405b-b19d-d6d970fa2739",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json b/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json
index d14d0051af..a41bd92cf8 100644
--- a/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json
+++ b/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70221db6-3bdc-488c-8bd3-d22584b2181c",
+ "id": "bundle--f74a2823-9ee7-4bc8-9a74-9e7f9f20d13a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3b24a287-36e1-49b9-811d-c0080147ff57.json b/mobile-attack/relationship/relationship--3b24a287-36e1-49b9-811d-c0080147ff57.json
deleted file mode 100644
index 445a188ca8..0000000000
--- a/mobile-attack/relationship/relationship--3b24a287-36e1-49b9-811d-c0080147ff57.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--10215570-c6b7-449d-8450-cb47374d50e7",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--3b24a287-36e1-49b9-811d-c0080147ff57",
- "created": "2023-03-20T18:41:47.754Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:04.098Z",
- "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3b55245d-6a26-4ecd-8f2f-305f8dbd572c.json b/mobile-attack/relationship/relationship--3b55245d-6a26-4ecd-8f2f-305f8dbd572c.json
new file mode 100644
index 0000000000..20e9ef34c2
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3b55245d-6a26-4ecd-8f2f-305f8dbd572c.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--ad6832ef-d0d2-4cce-9a42-dd606ab90c40",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--3b55245d-6a26-4ecd-8f2f-305f8dbd572c",
+ "created": "2025-08-29T22:06:09.103Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:06:09.103Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json b/mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json
index ffa59f5ea7..db7c35a3fc 100644
--- a/mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json
+++ b/mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f024a99-9818-480c-a367-00353e6e8e3f",
+ "id": "bundle--60d6c89b-f9e0-4fc8-93e0-2ce5dab4cba8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3be6ad82-722d-4699-8e3a-c1ea60018244.json b/mobile-attack/relationship/relationship--3be6ad82-722d-4699-8e3a-c1ea60018244.json
deleted file mode 100644
index b40ec78059..0000000000
--- a/mobile-attack/relationship/relationship--3be6ad82-722d-4699-8e3a-c1ea60018244.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--eeba1930-519f-49a4-9fae-06493e1186c0",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--3be6ad82-722d-4699-8e3a-c1ea60018244",
- "created": "2023-03-16T13:32:55.140Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:04.537Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json b/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json
index 26c7e339b9..7ff64c7827 100644
--- a/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json
+++ b/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b7751cf0-bbea-4cba-b021-c77ed4842f60",
+ "id": "bundle--f08481f1-29bf-4ea0-a680-243bf96cb722",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json b/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json
index 3ca670e3bf..cccf7966be 100644
--- a/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json
+++ b/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--03d846b3-31bb-41d0-bdda-1fa885faa69d",
+ "id": "bundle--24019f9d-d8e2-4aa2-94a6-1aee3dedd501",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json b/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json
index 072ed1fd30..573c98aac4 100644
--- a/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json
+++ b/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f5e9fc34-14c5-45b4-b4d8-878dc36f6679",
+ "id": "bundle--3ac9bf7e-416c-45fb-a676-f147be644407",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json b/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json
index b065f1b615..4f57d77755 100644
--- a/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json
+++ b/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--476befd0-22ec-4953-85af-e79f9d47c9c1",
+ "id": "bundle--45757f79-e93f-481c-99aa-b3d57b789af2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json b/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json
index 7de5286e5e..4590e1f8b7 100644
--- a/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json
+++ b/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a910ca0b-c76c-4276-af6c-c74ef53a06bf",
+ "id": "bundle--04c79741-3545-4765-a173-797353eb7351",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json b/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json
index 1c1e9d4b71..633abb664f 100644
--- a/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json
+++ b/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9100a95a-fe6e-4d9c-ba7a-aa120c96a841",
+ "id": "bundle--77280670-fad1-4442-a287-c174207760dd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json b/mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json
index 06b727af27..bb63579e1e 100644
--- a/mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json
+++ b/mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aa44233c-2eb2-493f-b1ba-b06adb99dab0",
+ "id": "bundle--c06c36e1-dc37-45ba-a72f-6df1c9771ff1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json b/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json
index 8b85cccc2d..2a571571de 100644
--- a/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json
+++ b/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--edecab2d-dbf7-4493-83c6-a199432a5604",
+ "id": "bundle--f5e604bc-6002-41b6-bc33-b2cbad9ba52a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json b/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json
index 19de419af4..e467f8466a 100644
--- a/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json
+++ b/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--261c868b-5d87-4dc8-80f0-441a5a4fd106",
+ "id": "bundle--1d7e2308-aa16-4ae3-84f3-8d326694e67a",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:06.482Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather device location data.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:00:11.758Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered device location data.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
diff --git a/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json b/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json
index 6d8a5df223..13ddb2918e 100644
--- a/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json
+++ b/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9d721175-3ee0-44a7-9bf2-dbb96b438312",
+ "id": "bundle--6a8740ae-7992-486a-bab3-570f0cde776e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json b/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json
index 0ff8522209..d66683c029 100644
--- a/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json
+++ b/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--07d8808d-d6ee-4330-b38a-da4c44f83e8c",
+ "id": "bundle--57d8685f-fda1-4ab7-83e7-4abb513d8478",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json b/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json
index b030b7f88b..98ce899bb5 100644
--- a/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json
+++ b/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1743868-9cdb-4e7b-878e-217fe5cb8827",
+ "id": "bundle--71a3d667-1e8e-4e42-a27c-a43566fa48aa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json b/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json
index ff515de265..1b8e7727bd 100644
--- a/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json
+++ b/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--efb982a1-4e09-47b3-b7a4-df63cdf63e4a",
+ "id": "bundle--4c149450-7b30-4866-9390-231392ef233a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json b/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json
index 178d1df4ae..d589802fb7 100644
--- a/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json
+++ b/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b826992-dd0c-4982-b5d4-41f326b13e8d",
+ "id": "bundle--6a84000b-1388-4212-828d-d1fd3b5e3151",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json b/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json
index 823672588e..d38c59672b 100644
--- a/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json
+++ b/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2c2901c2-2a7c-43a7-9a08-48cb3457c47b",
+ "id": "bundle--b7f21cfb-a43e-42b7-a53d-aa25b2c24265",
"spec_version": "2.0",
"objects": [
{
@@ -10,6 +10,11 @@
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
+ {
+ "source_name": "Mandiant UNC3944 May 2025",
+ "description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations"
+ },
{
"source_name": "MSTIC Octo Tempest Operations October 2023",
"description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.",
@@ -19,14 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:07.770Z",
- "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)",
+ "modified": "2025-10-13T19:54:33.892Z",
+ "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Mandiant UNC3944 May 2025) ",
"relationship_type": "uses",
"source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
"target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json b/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json
index d02f90a833..b5dca3d01b 100644
--- a/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json
+++ b/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a33d199-9f89-437f-8b5d-d9a37f46085b",
+ "id": "bundle--26ce8a91-db39-49c2-98e1-25f2f716e827",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3d65c2b7-c907-45e1-b942-95f7d765e749.json b/mobile-attack/relationship/relationship--3d65c2b7-c907-45e1-b942-95f7d765e749.json
deleted file mode 100644
index cd0dd499e4..0000000000
--- a/mobile-attack/relationship/relationship--3d65c2b7-c907-45e1-b942-95f7d765e749.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--4f77db5b-921a-4e1f-aafb-1779b91189df",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--3d65c2b7-c907-45e1-b942-95f7d765e749",
- "created": "2023-03-20T18:53:34.056Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:08.196Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3dac9ed8-7b92-44fb-bf04-3f2179c37851.json b/mobile-attack/relationship/relationship--3dac9ed8-7b92-44fb-bf04-3f2179c37851.json
new file mode 100644
index 0000000000..d49195603e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3dac9ed8-7b92-44fb-bf04-3f2179c37851.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--6fbf498f-055c-488f-8bfc-861d4f539c1c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--3dac9ed8-7b92-44fb-bf04-3f2179c37851",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089",
+ "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3dc016c9-fd28-4e02-899a-8f2b54a5d2ff.json b/mobile-attack/relationship/relationship--3dc016c9-fd28-4e02-899a-8f2b54a5d2ff.json
new file mode 100644
index 0000000000..dac46c4f16
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3dc016c9-fd28-4e02-899a-8f2b54a5d2ff.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--0a78b277-2164-44cb-a4e8-27ac366c9d12",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--3dc016c9-fd28-4e02-899a-8f2b54a5d2ff",
+ "created": "2025-05-19T18:26:02.873Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "GTIG_SignalAbuse_Feb2025",
+ "description": "Black, D. (2025, February 19). Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger. Retrieved April 30, 2025.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-05-19T18:29:46.270Z",
+ "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the linked devices feature to connect Signal accounts on devices captured on the battlefield to adversary-controlled infrastructure for follow-on exploitation.(Citation: GTIG_SignalAbuse_Feb2025)",
+ "relationship_type": "uses",
+ "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json b/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json
index 81985cf9fd..ec08ab7ca8 100644
--- a/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json
+++ b/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bc19aa59-64ee-4936-bb73-d6149e83b56d",
+ "id": "bundle--ead1c469-cac1-4ef3-96fa-7299962623af",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json b/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json
index d65574b7c7..232790701f 100644
--- a/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json
+++ b/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e024d27-01cf-46c1-aa64-c879f7d76caa",
+ "id": "bundle--f7505970-7618-4a0b-9c15-9b03f4cf2972",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json b/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json
index 4c0113f729..641593a11d 100644
--- a/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json
+++ b/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3dcef8c5-e02e-4582-bf23-ac1500b4ee8c",
+ "id": "bundle--30d10135-cc7f-4066-9e72-a98cbf5ddec7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json b/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json
index 23afed8361..52cb9eb971 100644
--- a/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json
+++ b/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a2d83bdb-a960-4afe-bd28-db946fac25ea",
+ "id": "bundle--fb47ab7f-7dfa-44bb-977c-93a43ac83798",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json b/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json
index 6fffa68276..dec411bc9a 100644
--- a/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json
+++ b/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a357991a-636e-40a3-91d5-0b019dd2a3e7",
+ "id": "bundle--88f9f668-a325-45a2-9c05-0cbbdb6e673f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json b/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json
index 80c021b67d..31f8b90aa8 100644
--- a/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json
+++ b/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1ab7fcab-ab2c-4ac3-b35a-a040a8648e6f",
+ "id": "bundle--e7d1b6d0-7423-40b1-82c6-e7e7c928b6e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json b/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json
index 8032d0938c..bbb211c718 100644
--- a/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json
+++ b/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--10932f22-b0f6-4911-997b-fc6968b45830",
+ "id": "bundle--05664ea0-d5cf-4a20-a54f-f7168cfc602a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--393300c4-6852-466d-a163-1d51330fe055.json b/mobile-attack/relationship/relationship--3e75b212-b0e2-433a-a7e2-9081a2cae056.json
similarity index 54%
rename from mobile-attack/relationship/relationship--393300c4-6852-466d-a163-1d51330fe055.json
rename to mobile-attack/relationship/relationship--3e75b212-b0e2-433a-a7e2-9081a2cae056.json
index 763b00f415..40fae2a519 100644
--- a/mobile-attack/relationship/relationship--393300c4-6852-466d-a163-1d51330fe055.json
+++ b/mobile-attack/relationship/relationship--3e75b212-b0e2-433a-a7e2-9081a2cae056.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--ce6ed323-9308-4ce8-a3ed-361359ae3ba2",
+ "id": "bundle--eb27be6c-3bf0-479b-914e-bfc8725a747d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--393300c4-6852-466d-a163-1d51330fe055",
- "created": "2023-03-20T18:45:39.292Z",
+ "id": "relationship--3e75b212-b0e2-433a-a7e2-9081a2cae056",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:01.130Z",
- "description": "Mobile security products can potentially detect jailbroken devices.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936",
"target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json b/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json
index ce41a76664..b4dc8d9987 100644
--- a/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json
+++ b/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--728cb7b6-d3a5-4b98-8797-d0780223d844",
+ "id": "bundle--f8bdf5a9-6553-4d4d-81d2-c26e993605f4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json b/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json
index bcf8a34f93..86053f8568 100644
--- a/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json
+++ b/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--368d082d-19fa-4dd5-afb0-352ecd4beaf1",
+ "id": "bundle--a50673f0-7c85-4c7c-a749-2494ca236cd1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json b/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json
index 829f319995..0673af4894 100644
--- a/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json
+++ b/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--663cce63-6485-4180-a6be-ae53bdcb2d33",
+ "id": "bundle--99235f7c-87b0-44bc-9f92-75b354ed0c09",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json b/mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json
index d9b75bf997..d62fa6ecd1 100644
--- a/mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json
+++ b/mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--067ad55b-07bc-4429-9382-562ae2eda8a8",
+ "id": "bundle--fd599b8e-39e2-4603-a54d-042c962e502b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json b/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json
index 7d24c0d12f..160cb66e66 100644
--- a/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json
+++ b/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c99e3a9d-0d3c-450e-adf4-18b008e41bbe",
+ "id": "bundle--eef6a62b-7350-46d0-ad15-5f9b09234e17",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json b/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json
index 5c27dec8d5..f4d09f3c0d 100644
--- a/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json
+++ b/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f60d11ef-c041-4e7e-969e-3a1cec55de4d",
+ "id": "bundle--d6a694cb-74e8-4d64-b1c0-69971b8e19fd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json b/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json
index e78d3b5c84..3e582d43a3 100644
--- a/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json
+++ b/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8b849e8d-1e47-4d49-b744-4ca651681617",
+ "id": "bundle--959ddb6f-f410-477e-83bd-bfdbf57a6d53",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json b/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json
index 45c951d186..da54940ed5 100644
--- a/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json
+++ b/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--61a5b393-6a36-4b46-b85c-1e7d06bfb788",
+ "id": "bundle--f7acc351-fded-4e6e-9ad7-3c44740059d3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json b/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json
index 30c3b39d93..9e5466b423 100644
--- a/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json
+++ b/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e687804d-7c6d-46c9-8922-5f1f3ace4d1b",
+ "id": "bundle--1906236c-57d0-43af-95ef-0f36d48da13f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json b/mobile-attack/relationship/relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json
deleted file mode 100644
index 7febe2a9e7..0000000000
--- a/mobile-attack/relationship/relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--2e9e1a1b-8ccf-4827-8f07-48eec095bb6b",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd",
- "created": "2023-03-20T18:43:03.117Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:12.147Z",
- "description": "Application vetting services could look for use of the accessibility service or features that typically require root access.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json b/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json
index bec708c6f4..6c83fdcecc 100644
--- a/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json
+++ b/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70c93662-9fa3-43ab-9157-b2c017ac8207",
+ "id": "bundle--9ef8c453-5654-4548-b0a2-484955395159",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json b/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json
index fd85067391..241b4b419d 100644
--- a/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json
+++ b/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b313ead-51d1-47da-bae4-c89b21882155",
+ "id": "bundle--bc499628-95ff-4926-9631-628cbdc5bb77",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json b/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json
index 73f61a538e..e68ca57600 100644
--- a/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json
+++ b/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d4dfb5ee-ca35-4aa9-9790-d3abe701ba2d",
+ "id": "bundle--d80c646a-9691-4661-b04f-8aa95e9e7371",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json b/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json
index 2c47d5638c..5094083ece 100644
--- a/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json
+++ b/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--413c4d40-26a6-4e02-a819-92dc4fbcaa62",
+ "id": "bundle--99b026f1-4d8e-476c-ac54-23defd4cf55f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json b/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json
index 47c431b476..12e6fd34a8 100644
--- a/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json
+++ b/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a2ccd797-2830-41d1-909c-48fd2edeca86",
+ "id": "bundle--3c15d54f-b53d-4afa-98ae-65da91676b63",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:13.215Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can send stolen data over HTTP.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:00:29.252Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has sent stolen data over HTTP.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
diff --git a/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json b/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json
index ce749805b4..d76b54f86f 100644
--- a/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json
+++ b/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0eb3a1bc-c4aa-45b7-b57a-4decd12584ab",
+ "id": "bundle--1d161897-6b78-42e4-a122-77f3886f1196",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json b/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json
index a3c15a2f96..7868132528 100644
--- a/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json
+++ b/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--68c64a88-6e56-419b-88b1-a7eb2aa6e491",
+ "id": "bundle--30dc7b0b-5f2d-4ab6-ac6c-35772c274373",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json b/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json
index 0c8353ae36..7655877644 100644
--- a/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json
+++ b/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c8a7b8e-3b42-4771-9dad-b8c795a49d38",
+ "id": "bundle--435bdfb7-b9f6-4379-ac15-eecbcc10aefc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json b/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json
index b56718d0aa..ce7745d8dd 100644
--- a/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json
+++ b/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4add9506-697f-47db-a9cb-a312380547ba",
+ "id": "bundle--afff37c9-a309-423d-925d-4eead9d1952e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d63de13b-0253-42f4-b13d-34bccf76ad94.json b/mobile-attack/relationship/relationship--413cb53b-9cc0-4c6a-bb63-0214405a9249.json
similarity index 51%
rename from mobile-attack/relationship/relationship--d63de13b-0253-42f4-b13d-34bccf76ad94.json
rename to mobile-attack/relationship/relationship--413cb53b-9cc0-4c6a-bb63-0214405a9249.json
index 194903da49..8a23214c27 100644
--- a/mobile-attack/relationship/relationship--d63de13b-0253-42f4-b13d-34bccf76ad94.json
+++ b/mobile-attack/relationship/relationship--413cb53b-9cc0-4c6a-bb63-0214405a9249.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--6b8235f5-4917-4f1e-b305-fe52e14d5338",
+ "id": "bundle--bdb09d0b-e711-431e-a75a-29fbdac224b0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--d63de13b-0253-42f4-b13d-34bccf76ad94",
- "created": "2023-03-20T18:54:50.323Z",
+ "id": "relationship--413cb53b-9cc0-4c6a-bb63-0214405a9249",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:53.720Z",
- "description": "Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117",
"target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json b/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json
index 78e9b6aa90..b24739d09a 100644
--- a/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json
+++ b/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6829d114-dc59-4c47-9586-0f59fcb8bd9c",
+ "id": "bundle--ba4ed084-1369-4096-8c03-8f78f3af6009",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json b/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json
index a4fa3c85de..357858bae7 100644
--- a/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json
+++ b/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c173c6d5-0407-4608-94d9-3f4f906e8d65",
+ "id": "bundle--86f98273-0f6f-40ed-9fdc-43aac3959d9f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--74080f4f-1de2-464f-8ec1-0635fc142273.json b/mobile-attack/relationship/relationship--41b72054-bb0d-40e8-b1fc-298fe0ddcb24.json
similarity index 51%
rename from mobile-attack/relationship/relationship--74080f4f-1de2-464f-8ec1-0635fc142273.json
rename to mobile-attack/relationship/relationship--41b72054-bb0d-40e8-b1fc-298fe0ddcb24.json
index 4c17436b42..46111df15f 100644
--- a/mobile-attack/relationship/relationship--74080f4f-1de2-464f-8ec1-0635fc142273.json
+++ b/mobile-attack/relationship/relationship--41b72054-bb0d-40e8-b1fc-298fe0ddcb24.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--83022e74-2cc6-4bbc-81a3-f56c95d331b6",
+ "id": "bundle--5fa70afd-317f-48ec-bd63-c787d38e3e61",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--74080f4f-1de2-464f-8ec1-0635fc142273",
- "created": "2023-08-08T16:23:41.141Z",
+ "id": "relationship--41b72054-bb0d-40e8-b1fc-298fe0ddcb24",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:31.040Z",
- "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "source_ref": "x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json b/mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json
index 1631e15be4..2d38f5d975 100644
--- a/mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json
+++ b/mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4713a644-55e3-4b4d-a541-4feee4d937a5",
+ "id": "bundle--3811bc0a-9190-4aa7-bc5b-64676ff36355",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json b/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json
index 8eae90bdd5..467c6abe9a 100644
--- a/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json
+++ b/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--37194170-4c37-484d-9dbf-c7e66bdbfc42",
+ "id": "bundle--2134535e-6050-4613-a745-987e45e2be07",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bfad064a-0a49-44e3-b283-94653edc12af.json b/mobile-attack/relationship/relationship--41e79691-b3b9-4d7f-9bca-c2d814090ee5.json
similarity index 52%
rename from mobile-attack/relationship/relationship--bfad064a-0a49-44e3-b283-94653edc12af.json
rename to mobile-attack/relationship/relationship--41e79691-b3b9-4d7f-9bca-c2d814090ee5.json
index 0ab91208f0..c580d21c54 100644
--- a/mobile-attack/relationship/relationship--bfad064a-0a49-44e3-b283-94653edc12af.json
+++ b/mobile-attack/relationship/relationship--41e79691-b3b9-4d7f-9bca-c2d814090ee5.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--ea8903c8-644e-44c2-a5ea-6b84f0f591f1",
+ "id": "bundle--bb764283-2ba8-4236-aa10-c13840515b69",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--bfad064a-0a49-44e3-b283-94653edc12af",
- "created": "2023-08-07T17:13:04.270Z",
+ "id": "relationship--41e79691-b3b9-4d7f-9bca-c2d814090ee5",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:18.776Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json b/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json
index 8b70cdc6b6..455d6be859 100644
--- a/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json
+++ b/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca8d1c69-30c6-4fcf-a8da-4f7c47d1a97a",
+ "id": "bundle--8e78c298-78a2-4f13-b505-d1590223537f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json b/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json
index 3503433f76..dc9057741b 100644
--- a/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json
+++ b/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d35bd880-b354-4a7c-af7b-7e1d5ee5e0ab",
+ "id": "bundle--79fe9599-29cc-443f-ade7-502f654a5955",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json b/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json
index f95c260219..f6773bf35f 100644
--- a/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json
+++ b/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8a0d889-d785-4afc-ab88-9451d9267e9a",
+ "id": "bundle--f4e0a28d-8c25-4875-8041-3fbe53e0538a",
"spec_version": "2.0",
"objects": [
{
@@ -14,19 +14,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:15.528Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as other applications, such as a cryptocurrency app called \u2018CoinSpot\u2019, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423) ",
+ "modified": "2025-10-08T20:12:09.676Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as legitimate applications, such as a cryptocurrency application called \u2018CoinSpot,\u2019 the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json b/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json
index 81925652f5..2df73d9458 100644
--- a/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json
+++ b/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--38391d22-535b-4403-8b71-7741a940e656",
+ "id": "bundle--932827eb-ddc3-4344-b0fb-4d0e28c60457",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json b/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json
index dc51125f08..d2a73a9333 100644
--- a/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json
+++ b/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fdefed05-730c-4d13-a5b7-6b822b46d79a",
+ "id": "bundle--852fd44d-9a31-449d-b35d-1378eea603ab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json b/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json
index ac7af5bdb1..302c5d5a0a 100644
--- a/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json
+++ b/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--08e44e8e-6e93-409b-afb5-cdbb84850de1",
+ "id": "bundle--0990f93a-f112-45b3-a0ba-50b6a4865720",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json b/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json
index 3e8e56e04e..1c7410bc07 100644
--- a/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json
+++ b/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--34c82cc4-e887-4112-9600-65c30fd6ae2b",
+ "id": "bundle--6e961eb2-5b51-449e-9540-3d837d0fbf36",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json b/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json
index e123921dd3..779e22cb74 100644
--- a/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json
+++ b/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--14d6ccba-660e-4639-93e2-53a400abc1e1",
+ "id": "bundle--08702c89-74f2-4583-aec6-00bca0fe8307",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--42e5e24c-eeb3-46f3-99f1-81015cd4f34e.json b/mobile-attack/relationship/relationship--42e5e24c-eeb3-46f3-99f1-81015cd4f34e.json
new file mode 100644
index 0000000000..62bfe9bbc2
--- /dev/null
+++ b/mobile-attack/relationship/relationship--42e5e24c-eeb3-46f3-99f1-81015cd4f34e.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--f22fb928-9682-466e-9ad4-299e60136815",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--42e5e24c-eeb3-46f3-99f1-81015cd4f34e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json b/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json
index 738988d40e..abb14f4b7b 100644
--- a/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json
+++ b/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f3e71a2b-fd58-4587-af44-f81cfd35d728",
+ "id": "bundle--c1c04912-4953-4429-9072-16772becdb9c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json b/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json
index bfde089427..9b57720e1f 100644
--- a/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json
+++ b/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ffe5bf04-2aea-4e39-9f91-06519172bb83",
+ "id": "bundle--ed86d951-0e56-4141-82e9-a0818d341c33",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json b/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json
index 968cf362b2..db932c0b27 100644
--- a/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json
+++ b/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d741d23-3128-4d5d-bfcf-9e37a8fc336c",
+ "id": "bundle--dd3ecdb3-f438-4bde-821d-cabb43dc4890",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json b/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json
index ff068601ce..742a27f947 100644
--- a/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json
+++ b/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6c19d857-47e5-44c5-9643-f34bbfbd7014",
+ "id": "bundle--7206aad1-8e0c-48cf-ad92-60f175a224ff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json b/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json
index 90c90a2d35..cbd23e0a51 100644
--- a/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json
+++ b/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb128868-7650-411b-a1a2-e1cae2e3a187",
+ "id": "bundle--7619db37-1073-43ad-a79a-e073a7fa7d5e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json b/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json
index 401baac778..d8b397845b 100644
--- a/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json
+++ b/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--464ef868-52a7-421e-8e3f-69e0ebfebde0",
+ "id": "bundle--2bbcc1bf-cdb1-4615-a355-2e43a08b598a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json b/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json
index 61f78caad2..0011e87488 100644
--- a/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json
+++ b/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2209877-0523-4c04-8b7e-f7a999a0fd91",
+ "id": "bundle--648869cc-3deb-49da-b79c-ce27ecb9c501",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json b/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json
index 9c4f658390..bef0a6f5ad 100644
--- a/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json
+++ b/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d8797aff-dcb7-4777-8881-b52d266ce450",
+ "id": "bundle--7c99c880-e466-47e2-933f-2674de1c3569",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json b/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json
index 1c3d6259b8..e67927bcde 100644
--- a/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json
+++ b/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e5190614-d5dc-4456-9c30-fd13e1214c4f",
+ "id": "bundle--56ead897-e784-45ca-b26c-7a3068063793",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json b/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json
index 9dafd9d183..c9cfe81462 100644
--- a/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json
+++ b/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eaa84ee7-df35-413b-9f1a-0a80ece2d401",
+ "id": "bundle--6e037fa0-514f-4d74-ac11-054165d61622",
"spec_version": "2.0",
"objects": [
{
@@ -13,20 +13,20 @@
{
"source_name": "Trend Micro iOS URL Hijacking",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
+ "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:19.024Z",
+ "modified": "2025-09-08T16:44:09.587Z",
"description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json b/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json
index 32743bc6d3..b47f84f180 100644
--- a/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json
+++ b/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--59b23e65-e4a0-4f27-9cd8-48f291cf413c",
+ "id": "bundle--a8caddcd-7728-4ce6-a8f0-3c813c4414c7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json b/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json
index 15fb545ea1..4ce0bcc290 100644
--- a/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json
+++ b/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--267641b7-69b3-4c80-a77d-fe92ca314034",
+ "id": "bundle--e4bf275c-6d1b-4390-9308-2c64d33bf760",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json b/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json
index 9f45c31c4c..872ef1439c 100644
--- a/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json
+++ b/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--761c1594-3d28-49c2-a750-000b0926e8bf",
+ "id": "bundle--ed1a5ad8-a8bf-40c4-80c7-b6c72d0c7f10",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json b/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json
index 0851b278b8..7cc197a859 100644
--- a/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json
+++ b/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7e086a52-fa13-4ef3-8f93-164cf5e5cc4e",
+ "id": "bundle--59e6fa3b-e3c1-4b17-a0d6-d52b2b20b4c6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json b/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json
index d569c4023a..dc6d2f2a1d 100644
--- a/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json
+++ b/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9e8afee8-3c81-4dce-a56e-eaa2e1ef840b",
+ "id": "bundle--692be5f4-2e3f-4870-a143-cef676c02ff6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106.json b/mobile-attack/relationship/relationship--45101937-578d-4782-8173-77d26e024763.json
similarity index 50%
rename from mobile-attack/relationship/relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106.json
rename to mobile-attack/relationship/relationship--45101937-578d-4782-8173-77d26e024763.json
index f818cffa51..ab20ad6959 100644
--- a/mobile-attack/relationship/relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106.json
+++ b/mobile-attack/relationship/relationship--45101937-578d-4782-8173-77d26e024763.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--8e27e372-5d5e-45f8-b32e-759128bf1ef9",
+ "id": "bundle--32e5728b-95e7-4b6a-9cf2-524254d386ce",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106",
- "created": "2023-03-15T16:26:38.465Z",
+ "id": "relationship--45101937-578d-4782-8173-77d26e024763",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:34.113Z",
- "description": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json b/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json
index b64b9e9145..7751f7d942 100644
--- a/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json
+++ b/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aa560e77-b6d0-4a0a-8243-61be9b0503ec",
+ "id": "bundle--b44a74af-b191-4733-9db5-f0f94c95eaf6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json b/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json
index 6b546b4b5d..dd88ad1eb3 100644
--- a/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json
+++ b/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--52901855-8b46-4fb4-be3e-b7258d8b53b5",
+ "id": "bundle--66095415-5e82-4192-9e0a-d6d9afc024af",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json b/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json
index 4384b27227..ef72aeac16 100644
--- a/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json
+++ b/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9500ebe5-eb3c-4c83-b943-507f028f5601",
+ "id": "bundle--7098f6b7-2bb6-4b2a-bdf1-0bd2565f82dd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json b/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json
index d107bc1446..4215f5c3b2 100644
--- a/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json
+++ b/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ccf23127-0ca9-4406-abf1-13357db7054f",
+ "id": "bundle--b29756af-71ae-4962-b061-b27bbc55a283",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json b/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json
index a327c9d9a2..a5bd0e6b92 100644
--- a/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json
+++ b/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--10ae176d-8154-4bd9-9a59-f9b4d31a6115",
+ "id": "bundle--f5694b25-d5af-44ca-9075-5b3c6a2bfb9f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360.json b/mobile-attack/relationship/relationship--45b2b93c-86fb-412c-b2e1-d4d267715bd5.json
similarity index 51%
rename from mobile-attack/relationship/relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360.json
rename to mobile-attack/relationship/relationship--45b2b93c-86fb-412c-b2e1-d4d267715bd5.json
index 285d58e372..4b1f801d63 100644
--- a/mobile-attack/relationship/relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360.json
+++ b/mobile-attack/relationship/relationship--45b2b93c-86fb-412c-b2e1-d4d267715bd5.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--14168e4d-cb66-41cc-b987-6f74f36b83b3",
+ "id": "bundle--49229778-3457-4b55-a068-c0dd67da6cc4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360",
- "created": "2023-08-08T22:50:32.635Z",
+ "id": "relationship--45b2b93c-86fb-412c-b2e1-d4d267715bd5",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:43.270Z",
- "description": "The user can view applications that have registered accessibility services in the accessibility menu within the device settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6.json b/mobile-attack/relationship/relationship--45cd8890-fd9c-4de8-966c-20b6157d4979.json
similarity index 54%
rename from mobile-attack/relationship/relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6.json
rename to mobile-attack/relationship/relationship--45cd8890-fd9c-4de8-966c-20b6157d4979.json
index c78e2d834a..c70af45738 100644
--- a/mobile-attack/relationship/relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6.json
+++ b/mobile-attack/relationship/relationship--45cd8890-fd9c-4de8-966c-20b6157d4979.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--5cf919fc-cb2a-46dc-88d1-cc88999598f8",
+ "id": "bundle--677d3a03-b697-4709-aaea-7dccfb9892b5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6",
- "created": "2025-03-14T17:58:15.093Z",
+ "id": "relationship--45cd8890-fd9c-4de8-966c-20b6157d4979",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:23.576Z",
- "description": "Monitor for API calls that are related to GooglePlayServices. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "source_ref": "x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e",
"target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json b/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json
index 864c5b8dd1..0c94e92fdb 100644
--- a/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json
+++ b/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b466cc9-a515-4114-b2cb-9950a818224a",
+ "id": "bundle--abfb6ac8-886f-4a8f-b056-e59fa0fde542",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json b/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json
index 9281199b96..de8231b6e5 100644
--- a/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json
+++ b/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--98f13674-481b-4d83-a58c-c3221c8d95f0",
+ "id": "bundle--9da3375e-a0a0-4255-b293-9cf1e3f70676",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json b/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json
index c20bde3ad7..b0f0266419 100644
--- a/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json
+++ b/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f5fde6e8-d569-4c40-9624-8c9545a46656",
+ "id": "bundle--620ab920-61d9-4f2c-93d0-4e57ea5575aa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json b/mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json
index dad64cea61..2c9d6db294 100644
--- a/mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json
+++ b/mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1764c924-b589-499e-8dff-d27cd98e00e5",
+ "id": "bundle--4035a574-d6bf-4007-bf88-dbc8db833487",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json b/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json
index 09074eef75..f46dbe43ab 100644
--- a/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json
+++ b/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18ba73ab-4c28-4199-8309-09f12fe5f726",
+ "id": "bundle--21454fef-1d09-4b87-8470-735e59756268",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json b/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json
index 0505fec2a4..3b20bae7be 100644
--- a/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json
+++ b/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c36c45b7-e73d-4f3c-821a-4f952c63f7dc",
+ "id": "bundle--b49e95c8-3efd-412e-8803-0b0c4ef6d241",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4776d2fc-cb18-4453-8c3d-26d05728c3a8.json b/mobile-attack/relationship/relationship--4776d2fc-cb18-4453-8c3d-26d05728c3a8.json
new file mode 100644
index 0000000000..147e478e25
--- /dev/null
+++ b/mobile-attack/relationship/relationship--4776d2fc-cb18-4453-8c3d-26d05728c3a8.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--bd6c834f-7c75-4350-a708-6fb60defa85d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--4776d2fc-cb18-4453-8c3d-26d05728c3a8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2",
+ "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json b/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json
index 6289c6201f..17a6cf24dc 100644
--- a/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json
+++ b/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26972e5b-361e-4142-989e-970d04d8a6ed",
+ "id": "bundle--89f53571-3b1f-441d-9eeb-375b456c8e1b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json b/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json
index 4a5897d105..4ba63695c7 100644
--- a/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json
+++ b/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2a8b164a-69ee-410d-ad60-e72a633f00e8",
+ "id": "bundle--35b72124-c6d4-448a-82aa-e82218730408",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json b/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json
index f8fb8ce6b6..2944cbbdbe 100644
--- a/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json
+++ b/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0c5e7435-8663-44e9-bb83-721d1541b239",
+ "id": "bundle--bcd97968-fde9-4354-99dc-8a06edbea685",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json b/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json
index 0691422b67..73b998fbd1 100644
--- a/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json
+++ b/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d864006f-c25e-4ada-9bee-0df9b00c3b17",
+ "id": "bundle--42a53bd7-0921-4b4d-a538-58ce0b1954c2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json b/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json
index a828448bf0..f9438ec890 100644
--- a/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json
+++ b/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d634a442-7a47-44a5-957a-57c22cf50240",
+ "id": "bundle--9faee4f9-efc3-430b-84a2-08544252d220",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json b/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json
index ea3f1b9107..0dbb634585 100644
--- a/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json
+++ b/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6247aa91-d3f5-4059-9b02-5a50abc652f4",
+ "id": "bundle--98866f89-19a6-4c3a-8db2-89306906b7e1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json b/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json
index b54f34a5c1..58cb1952e3 100644
--- a/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json
+++ b/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--68a85ebc-a577-4495-99e6-5c2b5757122d",
+ "id": "bundle--3a0fc79f-7417-4fec-8e9f-913d5dad346f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4897ef75-0035-4ae5-b325-de2f6b27565f.json b/mobile-attack/relationship/relationship--4897ef75-0035-4ae5-b325-de2f6b27565f.json
deleted file mode 100644
index 8d23643ffc..0000000000
--- a/mobile-attack/relationship/relationship--4897ef75-0035-4ae5-b325-de2f6b27565f.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--88a0ed7f-fe5a-475a-9334-6dc3017578e7",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--4897ef75-0035-4ae5-b325-de2f6b27565f",
- "created": "2023-09-21T22:31:28.428Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:24.429Z",
- "description": "Application vetting services may look for indications that the application\u2019s update includes malicious code at runtime. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json b/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json
index 8ddb0775f2..c7f41ec434 100644
--- a/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json
+++ b/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1961808-e4ad-45f8-abd0-ae96a4be9779",
+ "id": "bundle--d55f2ed3-e482-4005-a78a-ee5ad06e688e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bc79a212-139f-4dce-be72-e90585f38f03.json b/mobile-attack/relationship/relationship--48c9d015-70bb-4142-8f02-c492b9a2d573.json
similarity index 54%
rename from mobile-attack/relationship/relationship--bc79a212-139f-4dce-be72-e90585f38f03.json
rename to mobile-attack/relationship/relationship--48c9d015-70bb-4142-8f02-c492b9a2d573.json
index eaf40359c6..e2e39c8426 100644
--- a/mobile-attack/relationship/relationship--bc79a212-139f-4dce-be72-e90585f38f03.json
+++ b/mobile-attack/relationship/relationship--48c9d015-70bb-4142-8f02-c492b9a2d573.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--40cdc72e-3fe4-4628-883b-ac23251e8d39",
+ "id": "bundle--4b86d4bf-3b5f-4418-82ee-6fa49ae6d7ee",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--bc79a212-139f-4dce-be72-e90585f38f03",
- "created": "2023-03-16T18:31:37.091Z",
+ "id": "relationship--48c9d015-70bb-4142-8f02-c492b9a2d573",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:12.115Z",
- "description": "The user can view their default phone app in device settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d",
"target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json b/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json
index 7e3f04eff4..6553b20e4c 100644
--- a/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json
+++ b/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e5642c8c-1780-4b02-ac29-473691e4bce7",
+ "id": "bundle--b78d1238-0827-4056-8f29-f9b808400ea3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json b/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json
index f0f00c0305..37eb0af0c4 100644
--- a/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json
+++ b/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a062ba1e-ee9d-46ee-8b3a-aaaa28bf8712",
+ "id": "bundle--d3e76157-4ee7-4a1a-b5fd-1bf232e573b4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json b/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json
index 6a33d51a4f..f316deae47 100644
--- a/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json
+++ b/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3c72073f-dac4-4d63-bafc-027c07728242",
+ "id": "bundle--94cf6c44-747b-4016-a8ad-0a90ed5e22fd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json b/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json
index d1bf2113f7..1c8f6183ba 100644
--- a/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json
+++ b/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1031236-0d92-40e6-ad94-e9b78836ab1a",
+ "id": "bundle--4fa8093b-a2ce-4f0f-9276-892ac550d920",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--494d08df-ad69-49c4-890a-fb8dd3025491.json b/mobile-attack/relationship/relationship--494d08df-ad69-49c4-890a-fb8dd3025491.json
new file mode 100644
index 0000000000..baec1494af
--- /dev/null
+++ b/mobile-attack/relationship/relationship--494d08df-ad69-49c4-890a-fb8dd3025491.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--b9f70be2-5355-4220-80dd-7aafcf6c3f4c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--494d08df-ad69-49c4-890a-fb8dd3025491",
+ "created": "2025-08-29T21:59:13.102Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:59:13.102Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has hooked onto the `getEnabledAccessibilityServiceList` API to return an empty list of active services, which hides [GodFather](https://attack.mitre.org/software/S1231) and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json b/mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json
index df0dfd50cd..d1e72dc38f 100644
--- a/mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json
+++ b/mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--120a5aec-1ecc-4fdb-8b0b-726a9fb7abae",
+ "id": "bundle--2b3d8892-9a78-4f21-9e50-aa67ec54d668",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json b/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json
index 18f34c8704..ecb0922f4d 100644
--- a/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json
+++ b/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e21ed33f-4801-4b3d-9d1e-05e90c73fea3",
+ "id": "bundle--3f606923-313b-42d9-a0fa-3f050ff2442b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json b/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json
index d3e9632cb5..50a5220734 100644
--- a/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json
+++ b/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--262a0892-8ace-4db2-a15f-fc406181dc78",
+ "id": "bundle--d8283240-9c1c-496e-8ded-6ee6e5ff15c9",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:26.280Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can register as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:00:48.643Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has registered as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
diff --git a/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json b/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json
index 7746b79f57..7d7820323e 100644
--- a/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json
+++ b/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a9539cf8-d44c-497a-ad7e-6ef1033fa4db",
+ "id": "bundle--618762e5-45a7-46c1-a97e-6a8353a5fa8e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57.json b/mobile-attack/relationship/relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57.json
deleted file mode 100644
index 3691e2be6c..0000000000
--- a/mobile-attack/relationship/relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--e368bed7-5980-486e-a1da-554bf5e020fb",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57",
- "created": "2023-03-20T18:43:49.345Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-AppLinks",
- "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
- "url": "https://developer.android.com/training/app-links/index.html"
- },
- {
- "source_name": "IETF-OAuthNativeApps",
- "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
- "url": "https://tools.ietf.org/html/rfc8252"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:26.704Z",
- "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json b/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json
index 4671b7e677..f9bc513b76 100644
--- a/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json
+++ b/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--53b033a6-2c74-41ff-8e12-f4a04628056d",
+ "id": "bundle--1bc205d0-2ad1-4868-b4bb-ef724bd66bba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json b/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json
index b7e6f3e14f..04203ae282 100644
--- a/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json
+++ b/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--895f259b-2a71-42d7-ae3c-69cf04a693fc",
+ "id": "bundle--f04a4f8d-706e-426c-afd9-de3da34bff1e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json b/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json
index 6ce87ffb8b..3fdb3518b4 100644
--- a/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json
+++ b/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--991d9de4-2dd1-4e6f-8cf5-1602d3d1da27",
+ "id": "bundle--339e6e03-46c3-4407-9a74-61da256d28a8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json b/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json
index e0447f3dba..9865442961 100644
--- a/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json
+++ b/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--febc4517-2bae-456a-9178-b63ed133f3cf",
+ "id": "bundle--0937c8e2-5d71-4fe7-a0e3-a74a50eee2c8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json b/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json
index 9fc2877ec4..5499e91f9f 100644
--- a/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json
+++ b/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b7cff5f-ac56-484c-95fa-6c824414fd93",
+ "id": "bundle--73fc7ec4-2749-4f33-9c39-944c03ed853b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d.json b/mobile-attack/relationship/relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d.json
deleted file mode 100644
index 4355a2481c..0000000000
--- a/mobile-attack/relationship/relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--4cd26b38-07f5-4f05-b9de-f2763de5ffbd",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d",
- "created": "2023-03-16T18:28:40.419Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:27.979Z",
- "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json b/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json
index 78c80ad8ce..5ecaa8b219 100644
--- a/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json
+++ b/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--66d13e0d-ee5e-4d8e-a95a-8378103e44ed",
+ "id": "bundle--397f3257-3cf5-4ab7-bcfe-0b5ad17e684c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json b/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json
index e26f5a214e..228f751666 100644
--- a/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json
+++ b/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d0e0fad0-c66e-4615-9e85-fdacb7cfd298",
+ "id": "bundle--803bd397-1923-462e-87b3-d693fe15507e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json b/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json
index d25070b0f2..4a0e3c0b70 100644
--- a/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json
+++ b/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--22b15272-5310-4177-b770-8e39abf8b95d",
+ "id": "bundle--b7044a34-b274-49ce-af64-7b9bbd31a35f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json b/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json
index 443422a556..9d1d2396dd 100644
--- a/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json
+++ b/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d84c8158-3962-43de-b8cd-1a75075e8f70",
+ "id": "bundle--19727cd0-c261-4832-b55a-7d0a1d292f79",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json b/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json
index 28dbdc5114..52cfe5f8b0 100644
--- a/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json
+++ b/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b5bb56b0-4112-4f03-94ef-c3cc76db7b4c",
+ "id": "bundle--81702508-4445-4043-8506-08e51e361d1a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json b/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json
index 697b839061..73ea96d464 100644
--- a/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json
+++ b/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d37d7170-501f-464a-b9c2-2001cfe35c1d",
+ "id": "bundle--a7caa0fc-a08c-490d-8ea3-0502f7be6a29",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json b/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json
index a2cb28fb98..52c43f7502 100644
--- a/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json
+++ b/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13843ceb-df6e-4eaf-b93d-6fec79992b1e",
+ "id": "bundle--fed5caa0-92ae-41e0-a2eb-574dba050482",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json b/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json
index 92c729001c..55285e14cb 100644
--- a/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json
+++ b/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b060596-24ea-4e3a-9a8b-e8159c7a299d",
+ "id": "bundle--c5038260-1fb7-4160-93d5-300cf3792c9d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json b/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json
index 59b5d3cc34..fb073d323c 100644
--- a/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json
+++ b/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b143ef69-1701-4d69-891a-a6ed9a0a6b0d",
+ "id": "bundle--240344dc-c1d0-42c2-96f0-956bada17734",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json b/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json
index b925687b00..f8fa6d9776 100644
--- a/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json
+++ b/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ba551b88-c2d3-43d2-b266-dcdce9cea16b",
+ "id": "bundle--dcbfa8ff-2213-4734-aeb1-9b843961d136",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json b/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json
index 9ef439145a..6023f35cf8 100644
--- a/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json
+++ b/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b68dbeb6-bbed-4f75-b293-3e360a8e9c69",
+ "id": "bundle--81a2fa59-5dce-4e4a-a863-9d2cc839ba12",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4bfd9b27-243b-46f7-927a-babc76db65d2.json b/mobile-attack/relationship/relationship--4bfd9b27-243b-46f7-927a-babc76db65d2.json
new file mode 100644
index 0000000000..bbc3f75cea
--- /dev/null
+++ b/mobile-attack/relationship/relationship--4bfd9b27-243b-46f7-927a-babc76db65d2.json
@@ -0,0 +1,25 @@
+{
+ "type": "bundle",
+ "id": "bundle--3b8b3d5a-01ff-40ba-be75-57e094d4c6fd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--4bfd9b27-243b-46f7-927a-babc76db65d2",
+ "created": "2025-06-16T17:27:19.466Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-16T17:27:19.466Z",
+ "description": "First, users should be wary of clicking on suspicious text messages, links and emails. Secondly, users should be wary of granting applications accessibility features. Users may check applications that have been granted accessibility features by going to Settings, then Accessibility. Finally, users should be wary of downloading applications; although applications may be on the Google Play Store, they may not be benign (see [Application Versioning](https://attack.mitre.org/techniques/T1661)). ",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json b/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json
index c00025b2cd..12004a8864 100644
--- a/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json
+++ b/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--55303354-2e85-44f2-a6d0-c7bb5bf9bd3a",
+ "id": "bundle--0bc39e04-0a00-47b0-b205-5dae00c7106a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json b/mobile-attack/relationship/relationship--4c363f2c-5d7a-4a9f-9fb5-684b530122f0.json
similarity index 53%
rename from mobile-attack/relationship/relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json
rename to mobile-attack/relationship/relationship--4c363f2c-5d7a-4a9f-9fb5-684b530122f0.json
index ac92a28091..c1bd74cd5a 100644
--- a/mobile-attack/relationship/relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json
+++ b/mobile-attack/relationship/relationship--4c363f2c-5d7a-4a9f-9fb5-684b530122f0.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--2aed34a7-f8ea-4f79-884f-699302990135",
+ "id": "bundle--ee66f0f4-dc2f-4f68-bc4a-7d627120153c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc",
- "created": "2023-03-20T18:14:50.401Z",
+ "id": "relationship--4c363f2c-5d7a-4a9f-9fb5-684b530122f0",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:52.520Z",
- "description": "Mobile security products can use attestation to detect compromised devices.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9",
"target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json b/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json
index 8853d8d5c3..cf7f85d18d 100644
--- a/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json
+++ b/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d2e7e1d-65e9-43c3-bde0-c558558c4c5a",
+ "id": "bundle--6079ab6c-bcd8-462f-a61c-460888200929",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json b/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json
index 80dc44edeb..6a4028051f 100644
--- a/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json
+++ b/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--acbcb8ae-64fb-45fc-91fd-c9ea1a0fdeef",
+ "id": "bundle--5595d329-6852-44f6-9495-4316bd0f5d19",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json b/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json
index 51ebaf09d1..1bc42051c9 100644
--- a/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json
+++ b/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--08b3562b-fe92-45b7-b2fc-d5308a500c58",
+ "id": "bundle--d8f1c8bf-beae-4eae-b714-1db73e1bc48c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json b/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json
index 06387b84b2..cb0e0a7afd 100644
--- a/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json
+++ b/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16686d7d-29cd-4862-a10a-c2684ffffc5d",
+ "id": "bundle--b4d9ad03-28b0-4fb9-a845-123741038c72",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1.json b/mobile-attack/relationship/relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1.json
deleted file mode 100644
index f06ea590a2..0000000000
--- a/mobile-attack/relationship/relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--848767c8-e369-4cd1-904a-6f75e5128a23",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1",
- "created": "2023-03-20T15:16:19.428Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:31.575Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json b/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json
index 13e7c48845..fabf9d1852 100644
--- a/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json
+++ b/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d1992c81-ea5d-43e7-a4f1-04f929c6b13d",
+ "id": "bundle--6894ca12-2f3e-4aec-a7eb-e5dbaaa1fa4f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json b/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json
index ed21bb39b0..f59952fc55 100644
--- a/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json
+++ b/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--745016b0-1551-4f2e-b834-10517be47986",
+ "id": "bundle--b37c2ea2-3f8c-4b3e-9034-c6600c7f45cf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json b/mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json
index 6f8ce084c8..c073d662a3 100644
--- a/mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json
+++ b/mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cd660a09-f90d-48e7-baa8-2906c0e4abe9",
+ "id": "bundle--7b64c957-6490-4c5d-bf18-3c4e43bd4e1c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json b/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json
index f0b6ae4cca..38ace39113 100644
--- a/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json
+++ b/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3d43903-2a67-472b-b14e-19f5c68f3a59",
+ "id": "bundle--5221e446-7b6e-4f11-b895-3f4991f13cae",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json b/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json
index 1f0f237e2e..c0b4db6206 100644
--- a/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json
+++ b/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--973ec3dc-9511-4797-85da-5d5459120eed",
+ "id": "bundle--43206139-bdef-487b-8458-b3b67df24c06",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json b/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json
index ed062bcee8..0354c91543 100644
--- a/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json
+++ b/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9801b29-cc96-4a06-a28c-ae61b410f256",
+ "id": "bundle--cbef04ba-078b-4790-90b9-cde515005772",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json b/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json
index 7be489aaac..a1095c17d4 100644
--- a/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json
+++ b/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bd0756dd-a97c-409b-a22e-bbea807eb754",
+ "id": "bundle--ac73a831-ecc2-4fba-a2ad-fe0da8aafff0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json b/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json
index e88d2a922c..fee0a92df0 100644
--- a/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json
+++ b/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3fb2b1a2-7e8d-4a3c-b14e-5251e3473e04",
+ "id": "bundle--da26481c-af32-45bf-b330-fb4625b9bd24",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json b/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json
index 404bc0e0b0..7921b477f4 100644
--- a/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json
+++ b/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f220c34-2e0c-4039-92e8-fff8a680a19b",
+ "id": "bundle--107330f2-35a8-49a0-8aa3-1df11ca8a9dd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json b/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json
index 6ece179661..233631cbee 100644
--- a/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json
+++ b/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e35756a6-1962-4525-8068-0a331c9a5a9b",
+ "id": "bundle--64f9cc1b-d6ee-4073-9243-45f254dd41b3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json b/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json
index db39baf712..b49934aa49 100644
--- a/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json
+++ b/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6570cae-9cff-45a0-9daf-f5f39b3b2a75",
+ "id": "bundle--2c324841-16b8-408b-9fb6-3b869cd7d5df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json b/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json
index 7452b262ff..86e0e592ba 100644
--- a/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json
+++ b/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50bf48a2-27e7-41b4-8d46-c1d4e1f6cc9a",
+ "id": "bundle--e3b6a82c-aefb-4056-90fa-0259b7df251d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json b/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json
index dc272f95c3..c79d4d4550 100644
--- a/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json
+++ b/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8df18ea3-56ac-457b-a391-cd20759fe357",
+ "id": "bundle--4500dfc9-b00a-4cc9-bbf6-ad3838cb0610",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json b/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json
index e95cd5ed28..5512736f66 100644
--- a/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json
+++ b/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca663d3d-13c6-4f1b-84b3-9b5dcf81bbd7",
+ "id": "bundle--89cff460-53e1-4b23-839d-e912cae81b05",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json b/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json
index 6026cf3c59..60fad0453e 100644
--- a/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json
+++ b/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e9a7f41a-61ad-46c0-8963-007f195d5258",
+ "id": "bundle--045fdfac-9763-4fc9-bf86-29c3c2ca7e9f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json b/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json
index 8a36d026ef..432154f749 100644
--- a/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json
+++ b/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--63fd2a6a-e623-4216-b543-9b7b4eeb0f77",
+ "id": "bundle--6df887d0-5fb8-45b6-838d-9ca780a3f6f0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json b/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json
index 03448dc615..1bcf72aa3b 100644
--- a/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json
+++ b/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1d65ee7-1c8d-480e-9b90-23be8f98dcca",
+ "id": "bundle--ed1a69a4-1810-4784-a3a0-298f7db4e325",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json b/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json
index d1c94fd137..02288435f0 100644
--- a/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json
+++ b/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8ed09760-7964-4886-a1b5-812a5a7bdbc6",
+ "id": "bundle--0054d6b1-aa2b-4c24-bdbf-7bde07d6e019",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json b/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json
index 422e8deb3a..ddce98a2c2 100644
--- a/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json
+++ b/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8dd50978-e58f-43f6-aab8-d5764195d1c5",
+ "id": "bundle--d8c62c4a-a02d-4bd3-a909-a7fe2fc99742",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json b/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json
index 1c7d900b41..6d60bb9597 100644
--- a/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json
+++ b/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62edecb4-1778-4975-92c1-ef4d6cdfd74b",
+ "id": "bundle--bfc226e4-c9c9-4271-ac26-353f67634067",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json b/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json
index cf849b412d..66f4d6ab1a 100644
--- a/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json
+++ b/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bc55eb5f-403a-4e4d-908b-ddcbe6f884a6",
+ "id": "bundle--f4db5707-db7e-492b-82f9-2f37d98e44bb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json b/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json
index 5615455600..6731e6e5e1 100644
--- a/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json
+++ b/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0d4c79b-9ddf-45e1-8425-eba12b29a712",
+ "id": "bundle--3808fa07-f971-4ae6-9d34-3e3dde890d3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json b/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json
index ba862da7f5..263831fccc 100644
--- a/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json
+++ b/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e7cdfc8d-5f94-4c7b-8f15-35c58fb5e645",
+ "id": "bundle--e2ea599f-75ea-4614-8a45-e3d0025e3072",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json b/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json
index c355391193..c9a34d3e94 100644
--- a/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json
+++ b/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39783ab2-91e6-41a1-96e1-b49930471456",
+ "id": "bundle--1c165a02-3b75-4faa-b5d8-5cd8f986719a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json b/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json
index 169fa1cf9f..ffb56b3de5 100644
--- a/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json
+++ b/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--01f3998d-fba5-472d-8814-32e0dfd01377",
+ "id": "bundle--1e735f83-8fe6-4058-8efd-6f572737851c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json b/mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json
index 8d59d72887..8aab64b06f 100644
--- a/mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json
+++ b/mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a05c6eae-3cb8-4c29-b6d3-ca2aa3729181",
+ "id": "bundle--d766ed09-bb5c-44a0-99e2-84c4770178dc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json b/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json
index ffb6ef976e..499218a439 100644
--- a/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json
+++ b/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--457382c8-78ba-4a8f-96dc-ba55c7916375",
+ "id": "bundle--8163db4e-7271-44a6-b047-fe7123ad1952",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json b/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json
index 2d074224b9..520ae010dd 100644
--- a/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json
+++ b/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9650c2b5-ad65-4f7b-81a3-74e80fa367a4",
+ "id": "bundle--cb3defa7-5b93-4b0c-b90d-ce3038875d5a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json b/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json
index b6797a57fb..ed90a4d406 100644
--- a/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json
+++ b/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--41ea13ae-3527-48c5-b619-6adc36f9b5ab",
+ "id": "bundle--70dc8f1b-d8b6-496e-b1bd-39f4496e27bb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json b/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json
index 5c55925399..448c3c9210 100644
--- a/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json
+++ b/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b685857d-0c81-434c-8e8d-91a3cb81403d",
+ "id": "bundle--505086bc-6121-4616-800c-460901feb31c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json b/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json
index 839eb2fc87..cdf2adcca0 100644
--- a/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json
+++ b/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6793228-87e0-496b-bcf7-8655c7aa9548",
+ "id": "bundle--7acc39ef-0196-4ea5-b925-00e00bfa4c1f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json b/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json
index fd43c1e2de..d005270bd2 100644
--- a/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json
+++ b/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e81f7461-6fc6-4f68-a94b-5badf4ac1333",
+ "id": "bundle--bc6b786d-a020-4464-9ba6-d3ce83dfac14",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json b/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json
index 4d921a1668..ae64dc4f19 100644
--- a/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json
+++ b/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b90b4bb6-1624-4fb3-a712-8aa83902ceb3",
+ "id": "bundle--f77f7801-0558-4832-9942-898ebe523462",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json b/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json
index 9651747041..b01d10bde5 100644
--- a/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json
+++ b/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--849f62fa-20d5-49a0-9ab6-5f74970e62ff",
+ "id": "bundle--003409ea-ea65-4e45-bed2-17bf1929c8ca",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json b/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json
index 4f32bbafc6..bbb9190387 100644
--- a/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json
+++ b/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--639fe983-47da-48ad-861a-f36648c08e17",
+ "id": "bundle--19aab1bc-fa86-4b04-aece-c6813e1e32b5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json b/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json
index bb9c088217..5229e575b2 100644
--- a/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json
+++ b/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--87c129d5-5741-420b-84fe-a08df8fbe784",
+ "id": "bundle--de9f1af4-3172-478d-ab1a-dc279da961df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json b/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json
index 7ac760d80a..2f0bd11f9e 100644
--- a/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json
+++ b/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--34c11f83-be93-45dc-8b09-a8e7a1f74bff",
+ "id": "bundle--bcd824b6-ca22-4116-b261-c99b7c925276",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json b/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json
index 7009db78a1..b7f27bd921 100644
--- a/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json
+++ b/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4298f3a8-7380-43f4-b83a-9b990f95661f",
+ "id": "bundle--21e90320-1ba5-42bf-b74c-dfcf37f45f30",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json b/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json
index fdc33b84ac..6c4ef63e9e 100644
--- a/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json
+++ b/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8697bf5b-c526-46be-a698-1fc0e9cc240d",
+ "id": "bundle--f847da14-fbfd-4024-840a-ae2128abb884",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json b/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json
index 302c1a2e0a..b3947dc974 100644
--- a/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json
+++ b/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--79c0a6bc-480f-4497-8b7d-4b79f97a9702",
+ "id": "bundle--555eb9be-324d-42ae-a7bc-d2f1afebdbe4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json b/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json
index 3c634feb7e..5dd760f4da 100644
--- a/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json
+++ b/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4e663bc5-b5ba-4baa-961d-df6ca7aef683",
+ "id": "bundle--876af80f-858a-44e7-ae0b-ad9800b2afe9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json b/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json
index dc325b336f..d591a10eca 100644
--- a/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json
+++ b/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d39fc782-106d-4285-8e98-4a9736d9c725",
+ "id": "bundle--13a34b6c-b61f-4079-9e4a-f92786c76a1f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json b/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json
index a781d863cc..7fbc05afdc 100644
--- a/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json
+++ b/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7f69badb-6dbe-40e8-ac38-3075a188dd74",
+ "id": "bundle--caaf53fa-8a64-4328-b1bb-d17ee6e30137",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json b/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json
index 4839b90cf3..986497a148 100644
--- a/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json
+++ b/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--836435a8-364e-474c-aaac-f0872bb47326",
+ "id": "bundle--7787c0aa-48a4-487d-b8cf-720c26354502",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json b/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json
index 59130749fa..e35166d027 100644
--- a/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json
+++ b/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--449cd2d8-04fd-4051-a07c-ad9d842f0a58",
+ "id": "bundle--1b309a8e-2758-444f-b7d2-7680806f277b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json b/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json
index 61fb0931d3..a8b6e05ba0 100644
--- a/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json
+++ b/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--44e44408-cef0-4100-bdbd-58eaeb2856e9",
+ "id": "bundle--fd41f0fe-b5de-4141-8e68-57b0d8e0135c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json b/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json
index d774893330..aa9e3a5dc6 100644
--- a/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json
+++ b/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dfc27806-5e3a-4d4a-abb5-4bdc281d0aaa",
+ "id": "bundle--9e4b4422-a278-48bf-96b7-2df8da7d049c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json b/mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json
index 54f91fdc42..3d618a6b6d 100644
--- a/mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json
+++ b/mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--68ea8b1f-ed4f-48e6-a69c-9c6c307ee3e3",
+ "id": "bundle--857e0803-e806-46ab-ad18-3cf91e6f52ad",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json b/mobile-attack/relationship/relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json
deleted file mode 100644
index 31248c01e1..0000000000
--- a/mobile-attack/relationship/relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7f6fc65f-135a-423c-b111-9c55bbbb0fea",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48",
- "created": "2023-03-16T18:37:55.715Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:41.977Z",
- "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json b/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json
index cba97df221..3f7645ade5 100644
--- a/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json
+++ b/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ee160de3-eb8a-4ef9-8f3c-da467496804b",
+ "id": "bundle--34cce920-796d-45c1-93f8-cb2aa0cd1615",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--52765114-6cad-4c2c-8e4d-7ccc880cee7d.json b/mobile-attack/relationship/relationship--52765114-6cad-4c2c-8e4d-7ccc880cee7d.json
new file mode 100644
index 0000000000..7a32c30a69
--- /dev/null
+++ b/mobile-attack/relationship/relationship--52765114-6cad-4c2c-8e4d-7ccc880cee7d.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--2e1227d7-875c-4e5d-826e-bb15037bd82c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--52765114-6cad-4c2c-8e4d-7ccc880cee7d",
+ "created": "2025-08-29T22:04:11.515Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:04:11.515Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `WRITE_EXTERNAL_STORAGE` permission to delete files in the device\u2019s external storage.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json b/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json
index fc40bd8636..fff95128db 100644
--- a/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json
+++ b/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b13487ff-1362-4ef1-a909-a94ac181b8f9",
+ "id": "bundle--9dfd0bb8-51e2-4a39-98f0-cf4604f77c97",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json b/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json
index 7b02b7f0b5..572945d43c 100644
--- a/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json
+++ b/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bc0d2248-226e-44e3-9dde-88533720feef",
+ "id": "bundle--69b2d117-d91a-4afa-bd0a-4f1e73fbdc9f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json b/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json
index 76bbf1169f..7eb128a6a5 100644
--- a/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json
+++ b/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b0035192-ec79-41a1-a1c8-014f13b4f9c0",
+ "id": "bundle--212aaf9c-b1a3-4fff-a46d-74c902f28eee",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--53044fc0-9bab-46c7-99a3-428ab1795505.json b/mobile-attack/relationship/relationship--53044fc0-9bab-46c7-99a3-428ab1795505.json
new file mode 100644
index 0000000000..3d880031c5
--- /dev/null
+++ b/mobile-attack/relationship/relationship--53044fc0-9bab-46c7-99a3-428ab1795505.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--9b20b354-b123-4f71-9312-50d2c8153f82",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--53044fc0-9bab-46c7-99a3-428ab1795505",
+ "created": "2025-08-29T22:01:51.078Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:01:51.078Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `Read_SMS` permission to access SMS messages.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json b/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json
index 07e8223295..80666680fd 100644
--- a/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json
+++ b/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c2f98d45-2ead-469b-920b-ec8313573332",
+ "id": "bundle--f3c8b18c-aa77-4391-b1ef-95cb79f84380",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json b/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json
index 5054c0e100..47c2ef7710 100644
--- a/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json
+++ b/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--72388c9f-f8e9-4e9a-a67a-1bff9f4330b2",
+ "id": "bundle--2a5bdec0-83a8-4278-9708-c915610db9d9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json b/mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json
index d32d4630f8..12bad87f5e 100644
--- a/mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json
+++ b/mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bb3b7f43-7ce4-448f-aacf-d283727498b7",
+ "id": "bundle--e95c41de-8714-4667-affe-e7681e318afb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json b/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json
index 4544f8dee2..9b13499090 100644
--- a/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json
+++ b/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9db7b1a9-eb19-48a3-a1de-91524d717940",
+ "id": "bundle--d83d7e74-8654-455b-8106-3c1a4ed22aa0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--536c84cc-6700-4eef-916f-2ddcc0518770.json b/mobile-attack/relationship/relationship--536c84cc-6700-4eef-916f-2ddcc0518770.json
new file mode 100644
index 0000000000..c1d86b511d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--536c84cc-6700-4eef-916f-2ddcc0518770.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--ad7a590c-3318-4ab1-8c1f-ccf40ef8891b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--536c84cc-6700-4eef-916f-2ddcc0518770",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48",
+ "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33.json b/mobile-attack/relationship/relationship--53aa0360-fbe6-4007-887c-a9e5ddadea74.json
similarity index 50%
rename from mobile-attack/relationship/relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33.json
rename to mobile-attack/relationship/relationship--53aa0360-fbe6-4007-887c-a9e5ddadea74.json
index 3809a3d891..bc9742c736 100644
--- a/mobile-attack/relationship/relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33.json
+++ b/mobile-attack/relationship/relationship--53aa0360-fbe6-4007-887c-a9e5ddadea74.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--ea99c1eb-e34b-4003-a2fd-f06ba0745331",
+ "id": "bundle--a49ad4c2-3218-4e10-b5a7-6ceaf039a7b4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33",
- "created": "2023-03-20T19:00:09.608Z",
+ "id": "relationship--53aa0360-fbe6-4007-887c-a9e5ddadea74",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:27.482Z",
- "description": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+ "source_ref": "x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532",
"target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--53c19d17-7109-4394-9c38-7a7514cddd0a.json b/mobile-attack/relationship/relationship--53c19d17-7109-4394-9c38-7a7514cddd0a.json
new file mode 100644
index 0000000000..a577bc2566
--- /dev/null
+++ b/mobile-attack/relationship/relationship--53c19d17-7109-4394-9c38-7a7514cddd0a.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--ab8cbe72-14cf-4f80-b5fd-19d4e079ed95",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--53c19d17-7109-4394-9c38-7a7514cddd0a",
+ "created": "2025-10-08T14:40:59.584Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:40:59.584Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected location data.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d.json b/mobile-attack/relationship/relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d.json
deleted file mode 100644
index 4663e88a61..0000000000
--- a/mobile-attack/relationship/relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--a61ce7dd-8a7a-4ba3-bb2a-ba5ad499b3d6",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d",
- "created": "2023-03-20T18:38:36.873Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:43.889Z",
- "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json b/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json
index d115c0e3c0..0f6fdff082 100644
--- a/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json
+++ b/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--be3fa91e-1fa9-4cd9-987f-2394725dbde0",
+ "id": "bundle--fd6d73ef-58a0-4377-91e2-2afb70d7886a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json b/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json
index 0d4d4463ae..c79b26441c 100644
--- a/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json
+++ b/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a6a2b1be-c48c-4aa9-a449-04fbe53c8257",
+ "id": "bundle--88095b46-8781-482a-a871-8210f0b3b049",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json b/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json
index c11998c623..a607a6cdd5 100644
--- a/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json
+++ b/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f0e6c45b-a3dd-45cf-a4ca-79094c76cc8c",
+ "id": "bundle--914f3b91-f526-40fd-962f-af219d01e58f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json b/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json
index cb1225e20f..cf4f4f1f12 100644
--- a/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json
+++ b/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ee0c9b5b-6aba-4cc7-a556-b6bc9aab4c7c",
+ "id": "bundle--7102689c-3a58-44f9-b2d6-9449cb0fa45f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json b/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json
index 8f0b1dfaeb..98995090da 100644
--- a/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json
+++ b/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--73b8c236-7e37-427e-bfa1-3d9c6e8987f6",
+ "id": "bundle--3051e05d-411c-43f6-a12c-a80dcbf10259",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json b/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json
index 7598ceded2..053cf9190b 100644
--- a/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json
+++ b/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--caec2d6f-d39a-4ddd-9e45-ced9621acff0",
+ "id": "bundle--91c43e42-5bfc-417c-92bd-3ba1c3ff011b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json b/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json
index 296e44e767..d4cf47d232 100644
--- a/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json
+++ b/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fd523c1d-ed4d-4407-9844-6e8f72cbe7b9",
+ "id": "bundle--baee2d5d-80c0-4d07-9527-363f8b7f78f5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json b/mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json
index daaf4a6dde..da35b0a10c 100644
--- a/mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json
+++ b/mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b5114fcb-716f-4b0a-84fe-24c0d15a4d99",
+ "id": "bundle--c5662cfa-840e-4f43-99ce-bba26313f0f8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json b/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json
index b5b51c4dd5..20581b1d8c 100644
--- a/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json
+++ b/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--732d4b18-f76d-4f5e-b00b-48dead3dbb0f",
+ "id": "bundle--d5b7d839-5bc5-4fda-82e7-311e5d79c8aa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json b/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json
index a3c23a5ede..0f0fd1eb1d 100644
--- a/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json
+++ b/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eee2069d-2bd1-4dcb-a04a-e846609fad1e",
+ "id": "bundle--03f55dca-75de-4c50-91df-1b4a867d811b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json b/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json
index 97bc9fd1b7..376b340308 100644
--- a/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json
+++ b/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2680b688-7b14-4843-8ce2-540f15a7708d",
+ "id": "bundle--1a9b1d56-66b1-4da7-8e2b-8d853ee072f8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c.json b/mobile-attack/relationship/relationship--558ec1f4-a4ba-461f-b8aa-403f07ea3431.json
similarity index 51%
rename from mobile-attack/relationship/relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c.json
rename to mobile-attack/relationship/relationship--558ec1f4-a4ba-461f-b8aa-403f07ea3431.json
index f50e8dd78e..0d91ffbcb7 100644
--- a/mobile-attack/relationship/relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c.json
+++ b/mobile-attack/relationship/relationship--558ec1f4-a4ba-461f-b8aa-403f07ea3431.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--5130cb1c-d851-4c22-b244-5a376b58cfaa",
+ "id": "bundle--d5be6ee3-b266-4b0d-a9c4-ef49c0c97946",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c",
- "created": "2023-03-20T18:51:29.814Z",
+ "id": "relationship--558ec1f4-a4ba-461f-b8aa-403f07ea3431",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:40.921Z",
- "description": "Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5",
"target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json b/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json
index 8767298a2e..603b974ddd 100644
--- a/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json
+++ b/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2aa95020-fc98-4406-8420-6bc65cfe75ba",
+ "id": "bundle--1f438c6e-c36f-48f9-b5b4-fe6d9ba25a65",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json b/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json
index e488462888..0bbfabc807 100644
--- a/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json
+++ b/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f3995496-31c7-4e9a-b61e-0ec1d0b25816",
+ "id": "bundle--9e40f740-8ae9-4f7f-b71b-4e15372e5815",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json b/mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json
index ab0c382568..b90a20ac7f 100644
--- a/mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json
+++ b/mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5fc571d8-0931-4ee2-9676-51ff5408ebae",
+ "id": "bundle--aedad576-09ca-4069-9be4-21e8bff145d3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8dc4b237-e466-4a3d-9d28-896f1389996d.json b/mobile-attack/relationship/relationship--5603f2f4-cb1a-4cf2-ac59-bb29e07e20cf.json
similarity index 52%
rename from mobile-attack/relationship/relationship--8dc4b237-e466-4a3d-9d28-896f1389996d.json
rename to mobile-attack/relationship/relationship--5603f2f4-cb1a-4cf2-ac59-bb29e07e20cf.json
index 0961e46c4f..96bae50a3c 100644
--- a/mobile-attack/relationship/relationship--8dc4b237-e466-4a3d-9d28-896f1389996d.json
+++ b/mobile-attack/relationship/relationship--5603f2f4-cb1a-4cf2-ac59-bb29e07e20cf.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--6d1aacfa-2756-4993-b39c-a68f1a560054",
+ "id": "bundle--a5b86d93-b659-4b30-adf9-18aa168121ac",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--8dc4b237-e466-4a3d-9d28-896f1389996d",
- "created": "2025-02-12T15:22:36.181Z",
+ "id": "relationship--5603f2f4-cb1a-4cf2-ac59-bb29e07e20cf",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:07.134Z",
- "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "source_ref": "x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d",
"target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json b/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json
index f4d57d7eb2..0d7e9056e6 100644
--- a/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json
+++ b/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5e136c7d-7787-4040-a674-7b2e7bcef904",
+ "id": "bundle--ff0bfde6-7143-4978-869d-854c76a43725",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json b/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json
index 7b78d4de20..36de74e947 100644
--- a/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json
+++ b/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b5c627ce-2ac9-4358-b1ef-3b6170099fe4",
+ "id": "bundle--6fcd0820-cfc8-4094-b7ec-55dd9f5de060",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--56758bb5-230e-43ac-9851-167c296c3dfa.json b/mobile-attack/relationship/relationship--56758bb5-230e-43ac-9851-167c296c3dfa.json
deleted file mode 100644
index 5c099047ad..0000000000
--- a/mobile-attack/relationship/relationship--56758bb5-230e-43ac-9851-167c296c3dfa.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--c808cd4b-3f90-4ec3-88a4-182e9be947e9",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--56758bb5-230e-43ac-9851-167c296c3dfa",
- "created": "2023-03-20T18:38:27.730Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:47.474Z",
- "description": "During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json b/mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json
index 1835e6565f..2a5cd2589c 100644
--- a/mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json
+++ b/mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bcfa84dd-8d44-45fa-8fbb-0768c707fe0b",
+ "id": "bundle--d0a612d8-af3b-4516-a5c6-5776dd67ffe7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json b/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json
index d109197b05..1d92d360ad 100644
--- a/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json
+++ b/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f743f14b-ac21-4b90-95cd-b00cae7f449f",
+ "id": "bundle--b49d7c8d-00a1-4b6c-a2f7-f1cb6b5ac002",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json b/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json
index a2e83e1163..7e72804533 100644
--- a/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json
+++ b/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--828f23e2-0876-4be6-a44b-b82cb0f566fc",
+ "id": "bundle--2ab4afcc-264d-4a0f-82e6-5f9380a87282",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json b/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json
index 70e19e24c0..f801799fed 100644
--- a/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json
+++ b/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--85186d04-da04-4843-9ad5-9e37ba88e5c2",
+ "id": "bundle--b1119f20-db2b-4271-b3d1-57527b7a2d08",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json b/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json
index 4b3fb440a9..9429549236 100644
--- a/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json
+++ b/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c57e8548-c37d-459f-9cfd-df420fcde620",
+ "id": "bundle--27d2875a-6432-4d3b-bc57-35122d9a4355",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json b/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json
index c496855b7c..2889fa7873 100644
--- a/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json
+++ b/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6ec63b7f-52fa-4a80-9bda-8507fe697415",
+ "id": "bundle--1eaa5499-ce6b-4ec8-b1be-0cbf7072d4c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json b/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json
index ad0b6701a5..facc6d473d 100644
--- a/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json
+++ b/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--104c7458-6435-4e30-a643-abb532573779",
+ "id": "bundle--f0471acb-b5b8-46b2-abcc-d41f47d7684b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json b/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json
index 7f26c57eb6..353165e74c 100644
--- a/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json
+++ b/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d9127a3-aaba-4c1f-aa8f-442458ce657b",
+ "id": "bundle--5081e47e-4280-49bf-a32c-2cae13d4ffd7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7.json b/mobile-attack/relationship/relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7.json
deleted file mode 100644
index 902f5b7f09..0000000000
--- a/mobile-attack/relationship/relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7b952bb4-816a-417c-8460-b589dedae85f",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7",
- "created": "2023-03-20T18:57:42.922Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:49.332Z",
- "description": "Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json b/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json
index 4379217145..a44503df3c 100644
--- a/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json
+++ b/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2f18fb43-d005-41df-93e0-73f216225613",
+ "id": "bundle--b15fd4e1-8e77-4036-b460-dcbc610986ad",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json b/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json
index 0c24e9d822..86b02abf24 100644
--- a/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json
+++ b/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0b2d46c-4fae-4f0c-87b2-aaccb54eec75",
+ "id": "bundle--c7134602-53b4-47a4-b39e-65682dd3100f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--57a5ae72-6932-45e6-83f2-609943902b35.json b/mobile-attack/relationship/relationship--57a5ae72-6932-45e6-83f2-609943902b35.json
deleted file mode 100644
index 5679bd0edc..0000000000
--- a/mobile-attack/relationship/relationship--57a5ae72-6932-45e6-83f2-609943902b35.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--84c69521-78cf-4125-8ff6-624d0528fab8",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--57a5ae72-6932-45e6-83f2-609943902b35",
- "created": "2023-03-20T18:50:33.248Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:49.967Z",
- "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json b/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json
index 169e0b27bf..fc78017bc4 100644
--- a/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json
+++ b/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed6cd17f-3f8f-46f4-882b-a00aade515b5",
+ "id": "bundle--4c692fe8-fc5f-4874-b2e8-ba14c5e7b496",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json b/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json
index 961b1de523..c3fdaaa35a 100644
--- a/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json
+++ b/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--46e2155b-5e9d-4183-bed2-ceb5a6dbdad3",
+ "id": "bundle--82793be2-deea-4787-8786-387bd9588597",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--148703c5-6d07-439c-a4ff-d77119c70857.json b/mobile-attack/relationship/relationship--57f7fa9e-26c4-4cbf-a932-71d45e24da43.json
similarity index 51%
rename from mobile-attack/relationship/relationship--148703c5-6d07-439c-a4ff-d77119c70857.json
rename to mobile-attack/relationship/relationship--57f7fa9e-26c4-4cbf-a932-71d45e24da43.json
index d19192bf47..ddf1ce7428 100644
--- a/mobile-attack/relationship/relationship--148703c5-6d07-439c-a4ff-d77119c70857.json
+++ b/mobile-attack/relationship/relationship--57f7fa9e-26c4-4cbf-a932-71d45e24da43.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--fbc26e37-7bf2-4b25-8334-ed0ebe65370c",
+ "id": "bundle--21d713aa-96ae-4658-bb0e-93368ad77153",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--148703c5-6d07-439c-a4ff-d77119c70857",
- "created": "2023-03-20T18:52:21.767Z",
+ "id": "relationship--57f7fa9e-26c4-4cbf-a932-71d45e24da43",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:09.793Z",
- "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "source_ref": "x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json b/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json
index 4e05b5846d..09634d0d48 100644
--- a/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json
+++ b/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--298c2d45-7193-4957-ab58-88336725ba79",
+ "id": "bundle--be94c95b-b526-45cf-8e84-e45b0ccc3564",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--58652c88-178b-4b96-bad6-c542c7948929.json b/mobile-attack/relationship/relationship--58652c88-178b-4b96-bad6-c542c7948929.json
new file mode 100644
index 0000000000..4257b2dee6
--- /dev/null
+++ b/mobile-attack/relationship/relationship--58652c88-178b-4b96-bad6-c542c7948929.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--387506ab-349d-4978-a67b-0a7ad70e4210",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--58652c88-178b-4b96-bad6-c542c7948929",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b",
+ "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json b/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json
index a330752ac6..ec059a6b24 100644
--- a/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json
+++ b/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--20c2092f-b496-4749-b0f4-2b8079ee6c0e",
+ "id": "bundle--31722e54-eda3-4d52-a979-338fdb5e83de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json b/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json
index 2dc3a38a95..2f47f2f99c 100644
--- a/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json
+++ b/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--55cb05b8-506d-4d16-8507-bda9bed683bf",
+ "id": "bundle--2f12f5e1-bf39-41dd-a75e-892f0e0308b0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json b/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json
index 615b84e60d..e0fe219049 100644
--- a/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json
+++ b/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0744995a-c6bc-45e1-a53d-cc7e1fd1aa18",
+ "id": "bundle--db7d92f8-e9ca-4368-bf8a-255932ef992c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json b/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json
index 1efe9b6439..2aadf8813f 100644
--- a/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json
+++ b/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f6b049a5-014c-4e9c-9d47-04636e17120f",
+ "id": "bundle--820cc409-ed09-4bc8-9c48-888d5eddb1c9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json b/mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json
index 1c0ce2fd53..abb01be2de 100644
--- a/mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json
+++ b/mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--865b4010-243f-4f6f-9ad7-aa96ad1e98ef",
+ "id": "bundle--a3832e26-3676-43f6-aaae-d164f4c62328",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json b/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json
index c79c65ac80..dddf300e93 100644
--- a/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json
+++ b/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--618e488c-74fb-445e-8b5f-36d4b550bd82",
+ "id": "bundle--768b6574-2dd6-405c-8b2e-909c46e65356",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json b/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json
index b475b727f7..fcac69b62d 100644
--- a/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json
+++ b/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--41861e1c-df2b-4221-ab17-eee3502a265b",
+ "id": "bundle--9aa07b1c-9066-4427-90c4-03f1a046dc56",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--59bd2521-3df2-49f1-afb7-ee78995740dc.json b/mobile-attack/relationship/relationship--59bd2521-3df2-49f1-afb7-ee78995740dc.json
new file mode 100644
index 0000000000..a0e3cc0039
--- /dev/null
+++ b/mobile-attack/relationship/relationship--59bd2521-3df2-49f1-afb7-ee78995740dc.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--7f220bae-0ab1-41bb-9e4a-82ab6cf1ad08",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--59bd2521-3df2-49f1-afb7-ee78995740dc",
+ "created": "2025-09-18T14:42:55.159Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:42:55.159Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has used a fake application to request permissions and to download itself.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json b/mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json
index 8c989ae80e..5d9a9b9977 100644
--- a/mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json
+++ b/mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--145c9556-d922-4c3b-b0ba-52f25a0e92e4",
+ "id": "bundle--d1f761b4-60d8-4bdc-8c7b-2740b70e8275",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json b/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json
index bac11034ef..6950de7765 100644
--- a/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json
+++ b/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--85a76fea-f7dc-4e92-84b3-f799a99c78b7",
+ "id": "bundle--e7919458-4b7a-4ef0-a5e9-f4868d9784e7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json b/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json
index d87a99d83b..c8744c6b0b 100644
--- a/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json
+++ b/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f89eb3ed-d1ef-409f-a117-137f7c7608f8",
+ "id": "bundle--0792a1dc-5be0-4a20-8441-fc90b2638f83",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json b/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json
index 2a02707af9..da997a04c8 100644
--- a/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json
+++ b/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--293c89aa-d452-401b-abb9-4b36eaac5f17",
+ "id": "bundle--d09f3e01-b2c2-4c15-ae1c-3a1d98556187",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json b/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json
index edbff46948..3f5b6c33ad 100644
--- a/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json
+++ b/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc81e0d6-50dd-4aec-83b7-a28fc0ad8b49",
+ "id": "bundle--d238df6e-a801-4c26-a967-f8853fbfc3f7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json b/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json
index d44f6e040d..4b16c22169 100644
--- a/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json
+++ b/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0749147b-a861-4a6c-8fb1-a24319c8ecd0",
+ "id": "bundle--64066028-ee5a-47db-bb64-b8bb754299ec",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json b/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json
index 91cc9b07e1..8442a3fc7f 100644
--- a/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json
+++ b/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b71de481-e7bb-41fc-b68a-a0a555e59f63",
+ "id": "bundle--f54a1101-f5ed-449f-8052-5a550dcf993f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json b/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json
index 356e4021a6..7a92a24d8d 100644
--- a/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json
+++ b/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ad92ae8f-0a7b-49f1-8aea-0b2a94e84427",
+ "id": "bundle--8f4743e5-659f-4ed5-b6cc-8f36baafb5ec",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json b/mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json
index 8ea8ace682..4eff84b087 100644
--- a/mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json
+++ b/mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6aaff2ec-550d-4148-b1ca-72fa2a4f3e85",
+ "id": "bundle--1876a405-2ba9-4554-820a-fe4608746665",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f.json b/mobile-attack/relationship/relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f.json
deleted file mode 100644
index d48e99dd82..0000000000
--- a/mobile-attack/relationship/relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--1a2c4572-1761-4e47-a9b5-ca5f5deb4c2a",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f",
- "created": "2023-03-20T15:56:34.418Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:54.649Z",
- "description": "Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json b/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json
index 962f15ce1e..f26fc4a637 100644
--- a/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json
+++ b/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--64a86017-4dcc-4f1d-b15a-a7b4c9fce733",
+ "id": "bundle--881baf9a-934c-4a2f-b906-4b59ed5df8de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json b/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json
index 04d404de92..fce6e0e53f 100644
--- a/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json
+++ b/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6a1830c8-4c00-451e-ae93-245f44925c4d",
+ "id": "bundle--b94b5b31-3df6-468f-ad22-c4f39ee21960",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json b/mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json
index 7d31b705d8..205c4b339a 100644
--- a/mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json
+++ b/mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ad7fd860-610b-4a61-b02c-e5ee4c84658e",
+ "id": "bundle--c5bc3733-ac6c-4e02-9421-40b4d86a47b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json b/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json
index 7c4b371c73..00717a1ad0 100644
--- a/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json
+++ b/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--64a71419-a4db-4603-897f-63c12b17aaee",
+ "id": "bundle--cc1cc4cd-9afc-4eb2-a31e-a25764fd7078",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json b/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json
index 9bb1d234c8..2cb421ba1b 100644
--- a/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json
+++ b/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a6b71b09-d221-4512-a3c5-761c2ebb58aa",
+ "id": "bundle--615dd97d-80e7-4bdd-a3a8-e9c5c7f98712",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json b/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json
index 6a03221ec4..34f3b025ca 100644
--- a/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json
+++ b/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ffdb2f5c-62e2-467b-9b98-3189e5861bd9",
+ "id": "bundle--2076e35d-6aa3-444a-b171-5034b7d47032",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json b/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json
index 8d18b44511..3c2a650417 100644
--- a/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json
+++ b/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d99e3de5-5598-4ce9-b47b-7743734f100f",
+ "id": "bundle--48033471-016d-4239-8c67-c9219566d0cb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json b/mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json
index 356834ab17..ba183baa1a 100644
--- a/mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json
+++ b/mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--627e7068-676a-47d7-b7e0-82ab86f2c175",
+ "id": "bundle--b3697211-871c-406d-b1e7-794046cd46f8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json b/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json
index 0814c19a28..14912e1a7b 100644
--- a/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json
+++ b/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9870450-ba52-4cf4-a839-76bb614ebde3",
+ "id": "bundle--8be93710-92f2-43cb-9fcb-f46e83805643",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json b/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json
index 2de408abab..42a90464bc 100644
--- a/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json
+++ b/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2b4e24ef-02f0-40f3-be3a-f821a4abc381",
+ "id": "bundle--d3105e89-b888-461e-843c-b4690f26a619",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json b/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json
index 0ce3b691c2..5d72ae13d8 100644
--- a/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json
+++ b/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7407c88f-57ad-4a84-84bb-722fef388641",
+ "id": "bundle--8a854056-ccf3-4bc3-8fa4-53274da0c4f8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json b/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json
index 9ca4f2ec87..223cf9d4ff 100644
--- a/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json
+++ b/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7690074b-7a0a-4b9e-b831-38baff58a833",
+ "id": "bundle--c85885d1-a07e-46b9-9a30-bfb7b9dea2ce",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json b/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json
index 4282c42329..052b441a5d 100644
--- a/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json
+++ b/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8fa2bebd-dc56-4239-8dc3-b2d750c58f2b",
+ "id": "bundle--152a42f8-2bef-488c-a3f4-2c6dc448a6d9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf.json b/mobile-attack/relationship/relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf.json
deleted file mode 100644
index 3e52be2fb8..0000000000
--- a/mobile-attack/relationship/relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--10d4a434-b8bd-4527-96cc-1a329fde5934",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf",
- "created": "2023-03-20T15:46:49.646Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:48:58.017Z",
- "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json b/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json
index 74cd9ad581..567be2a609 100644
--- a/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json
+++ b/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--992a376e-5d23-41dc-bf31-c198f31fe99a",
+ "id": "bundle--9245feed-37e2-4f36-92f6-3c3d3e526c25",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json b/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json
index 19ff477125..20ffcfcc24 100644
--- a/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json
+++ b/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb9e58d9-b2ad-41d7-a8ba-fc15075d6bd5",
+ "id": "bundle--784e5df0-c435-4091-9f37-2bb495785e00",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json b/mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json
index 83b41debab..8f5bb73fab 100644
--- a/mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json
+++ b/mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab418331-eeb7-40af-b68d-700e17ca7c5c",
+ "id": "bundle--befabc13-72d8-4677-a6a9-eb7cedc6cc4d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json b/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json
index 89542e695d..b3de9ed375 100644
--- a/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json
+++ b/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6aca4621-cdc5-418f-a1ac-6e18964743da",
+ "id": "bundle--50ece6e2-adf1-48f2-a4af-1d2140e05c15",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json b/mobile-attack/relationship/relationship--5d00e3bf-dca3-4bd5-b54d-00d361cf3621.json
similarity index 52%
rename from mobile-attack/relationship/relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json
rename to mobile-attack/relationship/relationship--5d00e3bf-dca3-4bd5-b54d-00d361cf3621.json
index 31cfc05197..4823625639 100644
--- a/mobile-attack/relationship/relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json
+++ b/mobile-attack/relationship/relationship--5d00e3bf-dca3-4bd5-b54d-00d361cf3621.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--a9529e3b-71dd-414e-bc4c-0e211e8538e5",
+ "id": "bundle--af9a15c6-9a6c-43d1-9cf4-367f2c0d345d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b",
- "created": "2023-08-14T16:35:55.610Z",
+ "id": "relationship--5d00e3bf-dca3-4bd5-b54d-00d361cf3621",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:22.781Z",
- "description": "Many properly configured firewalls may naturally block one-way command and control traffic.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "source_ref": "x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b",
"target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json b/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json
index 670c4c8491..9a63b8f267 100644
--- a/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json
+++ b/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5888408a-a090-4228-bf1b-7c624d91950a",
+ "id": "bundle--d5ba691d-84b4-4b6c-9398-3fc0a546372a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json b/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json
index b98005b430..4abb7257bb 100644
--- a/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json
+++ b/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8e6d639-5af5-4259-bc97-5e8b45540a28",
+ "id": "bundle--119f9989-c628-4621-88e4-1efe372c386a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json b/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json
index b59c0b5d80..1ffeed4922 100644
--- a/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json
+++ b/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--12024708-1fdf-42f9-9f2d-bb2695b45915",
+ "id": "bundle--b8f72f82-3116-4a09-b294-3ba888bdf43d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json b/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json
index fa29b124a6..ab03d3c61c 100644
--- a/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json
+++ b/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--249c6bd3-a13d-48cd-9710-f10957b7cf67",
+ "id": "bundle--af47f78a-8f1c-47d7-80f4-0bbad9690801",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json b/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json
index e5ff66f7f9..e5a85c5b24 100644
--- a/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json
+++ b/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2ce6ccce-d4a2-415b-be62-dd9783608235",
+ "id": "bundle--c69738eb-9e49-4abb-a626-cefe459f994b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json b/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json
index a8dfb704f5..227abb2e70 100644
--- a/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json
+++ b/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--587155c6-f949-46e3-baba-b7dc53abd75f",
+ "id": "bundle--44d53d6e-0896-4d87-bc4e-4931549c6db5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json b/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json
index f72da44985..16a263e644 100644
--- a/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json
+++ b/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c2aa6fb6-434a-468d-9752-5079906ebf63",
+ "id": "bundle--fbe9797d-eb06-445c-89d7-68d778550354",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json b/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json
index bfd43702b0..dbe6d90e26 100644
--- a/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json
+++ b/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5663dbd4-0e96-4f58-a8b9-e935713eb164",
+ "id": "bundle--463c0625-9232-4813-a240-1c2a0c6374b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json b/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json
index 8a030dc3f7..d7af9cee7d 100644
--- a/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json
+++ b/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dcef3dd4-263c-4a51-a223-7e1e8f6df43b",
+ "id": "bundle--91993c2b-9343-4f14-9c37-82a317d85458",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5f8d6d22-b2a9-430b-bece-d6846c89b49b.json b/mobile-attack/relationship/relationship--5f8d6d22-b2a9-430b-bece-d6846c89b49b.json
new file mode 100644
index 0000000000..ae2b9f450a
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5f8d6d22-b2a9-430b-bece-d6846c89b49b.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--e336ab07-67d7-48a8-a7a1-2a5231c6ea7a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--5f8d6d22-b2a9-430b-bece-d6846c89b49b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75",
+ "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5fadf570-afe5-44eb-9034-45905a28b8d8.json b/mobile-attack/relationship/relationship--5fadf570-afe5-44eb-9034-45905a28b8d8.json
new file mode 100644
index 0000000000..a2ffc50e42
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5fadf570-afe5-44eb-9034-45905a28b8d8.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--63a79deb-ce61-4475-848d-f6be9434b168",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--5fadf570-afe5-44eb-9034-45905a28b8d8",
+ "created": "2025-05-19T18:26:28.765Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MSTI_StarBlizzard_Jan2025",
+ "description": "Microsoft Threat Intelligence. (2025, January 16). New Star Blizzard spear-phishing campaign targets WhatsApp accounts. Retrieved May 2, 2025.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-05-19T18:28:36.712Z",
+ "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) has used the linked devices feature to connect WhatsApp accounts to adversary-controlled infrastructure and/or the WhatsApp Web portal for message exfiltration.(Citation: MSTI_StarBlizzard_Jan2025)",
+ "relationship_type": "uses",
+ "source_ref": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json b/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json
index 2c1403a1fb..f8dd14fe61 100644
--- a/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json
+++ b/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe9de64b-f005-4b2f-b3eb-1e509847fa1e",
+ "id": "bundle--59f5fe94-07e0-46fe-8f98-b9b871fc0f45",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24.json b/mobile-attack/relationship/relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24.json
deleted file mode 100644
index 61b61b7145..0000000000
--- a/mobile-attack/relationship/relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--adbffc43-2735-4d97-a925-067c728f88ae",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24",
- "created": "2023-03-15T16:40:37.553Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:01.873Z",
- "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
- "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json b/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json
index e293ea22da..061feca6c2 100644
--- a/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json
+++ b/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--98c0494d-4436-43e8-a96b-eca51a3540f7",
+ "id": "bundle--0d08732b-2843-41da-8f3a-14be27e4e438",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json b/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json
index 28827e5d28..520015727c 100644
--- a/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json
+++ b/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9e9d3315-cc09-4f17-9e2e-90daac6dff2f",
+ "id": "bundle--942b7d7c-fce4-4e75-b6dd-98878e804244",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json b/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json
index 8b740dddeb..ebb4dfcfae 100644
--- a/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json
+++ b/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bfaa70d8-d004-468e-8734-e5b646cbe3bf",
+ "id": "bundle--45a18348-99e9-4074-8e41-4eceb79cd6f3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json b/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json
index 4e80849dba..70d4ea33d7 100644
--- a/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json
+++ b/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--158982f2-a829-4c69-8cae-1b86c41bc785",
+ "id": "bundle--41452db7-c01e-43c2-aea4-c9a18760ed04",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json b/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json
index 114b18970b..f8e332325b 100644
--- a/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json
+++ b/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0eaa2493-e954-46dc-a93e-cc04513df26b",
+ "id": "bundle--ff872a3b-cbed-4242-b170-a2628e4f8550",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--60954386-50d8-413b-b673-c305f99be0e3.json b/mobile-attack/relationship/relationship--60954386-50d8-413b-b673-c305f99be0e3.json
new file mode 100644
index 0000000000..1ea0b8facf
--- /dev/null
+++ b/mobile-attack/relationship/relationship--60954386-50d8-413b-b673-c305f99be0e3.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--d3a5d7a8-8b32-4d1d-ba50-cb1a9e045ebd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--60954386-50d8-413b-b673-c305f99be0e3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--609ec9f8-f702-444b-b837-72a0880d429b.json b/mobile-attack/relationship/relationship--609ec9f8-f702-444b-b837-72a0880d429b.json
deleted file mode 100644
index 5d1f9007e1..0000000000
--- a/mobile-attack/relationship/relationship--609ec9f8-f702-444b-b837-72a0880d429b.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--5d2dc300-681f-4203-a986-7abef434d79c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--609ec9f8-f702-444b-b837-72a0880d429b",
- "created": "2023-09-22T19:17:01.704Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:03.127Z",
- "description": "The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json b/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json
index b7996faf1d..afb92de57a 100644
--- a/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json
+++ b/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8b8cfb0c-a5df-4e60-a482-e45a69c4b082",
+ "id": "bundle--68c82e2e-792b-4754-87ae-538abc5681b6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json b/mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json
index b379b2ba77..6ee6aab274 100644
--- a/mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json
+++ b/mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c5532a9a-4d9b-4d71-848b-2a7a417e8186",
+ "id": "bundle--55b260ba-4383-4e51-9356-f0a21635a5db",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json b/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json
index 60163289a6..00f40ef1a8 100644
--- a/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json
+++ b/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b7008674-1edb-412a-b052-91c4d0feff24",
+ "id": "bundle--8600bfe9-595e-4b04-9192-ef663437ed55",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json b/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json
index d313498e57..7246d0b6df 100644
--- a/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json
+++ b/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4a1f6545-6a30-47e1-8fd9-10dbe45802cc",
+ "id": "bundle--345dbeef-fc5b-47fa-83ff-0cee2c6646c2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--60eb0917-7f98-46c5-a677-3234a21dc00a.json b/mobile-attack/relationship/relationship--60eb0917-7f98-46c5-a677-3234a21dc00a.json
new file mode 100644
index 0000000000..e8a2b5c60e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--60eb0917-7f98-46c5-a677-3234a21dc00a.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--02809d03-15a8-46b9-80b7-bab4979b7844",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--60eb0917-7f98-46c5-a677-3234a21dc00a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json b/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json
index 2968e8f3f2..c503870e15 100644
--- a/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json
+++ b/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bdb17455-06b4-4780-86dd-5f548c4424aa",
+ "id": "bundle--2ff27b13-cfd4-49d5-86a7-2a1726a0aa5c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json b/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json
index 74a6a544e0..047714db85 100644
--- a/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json
+++ b/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6c082877-77a8-4234-a41f-f0856171ec52",
+ "id": "bundle--2f350b8c-5afa-4ee3-b922-db8449a9e305",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json b/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json
index 931ada2c72..8a77d2139c 100644
--- a/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json
+++ b/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c8688dc7-a9f2-4775-aac2-08cd7693ad78",
+ "id": "bundle--6517f969-74b0-4996-92a1-6e72e07d08fd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json b/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json
index 1b95a66452..3cbcd34745 100644
--- a/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json
+++ b/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70331885-6019-42c3-a79c-86d5a83e8aa1",
+ "id": "bundle--88cd93e6-fd74-4f10-8187-7d3eed2676f1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json b/mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json
index ce3e0f7a7b..7ff8a9bacb 100644
--- a/mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json
+++ b/mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c746d090-c3b0-4d87-9eee-b85ac0ebe1a1",
+ "id": "bundle--be05018d-d75f-48bb-8ce3-efed8d7c233c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--61e27ee2-ef0a-43b9-8e58-e8703654bc25.json b/mobile-attack/relationship/relationship--61e27ee2-ef0a-43b9-8e58-e8703654bc25.json
new file mode 100644
index 0000000000..4d2a8c4929
--- /dev/null
+++ b/mobile-attack/relationship/relationship--61e27ee2-ef0a-43b9-8e58-e8703654bc25.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--1badc8ab-64d6-4ffd-b92a-3f0954527cd7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--61e27ee2-ef0a-43b9-8e58-e8703654bc25",
+ "created": "2025-08-29T22:03:08.447Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:03:08.447Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `RECORD_AUDIO` permission to record audio with the microphone.(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json b/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json
index 3d981fc962..af7fbfb514 100644
--- a/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json
+++ b/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ace540ae-f00c-4d2e-bba6-d0cdc60209d8",
+ "id": "bundle--7dc7a631-70e3-4ad7-bfb4-01b49dac0c79",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json b/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json
index a7bcd7f36a..3cd9e5ac3c 100644
--- a/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json
+++ b/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7bc50306-f6de-45e5-8d03-789fbda27414",
+ "id": "bundle--cdc0c71d-c7a3-4d4b-87ef-222ddcbb5a77",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json b/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json
index 909470df83..447769513e 100644
--- a/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json
+++ b/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0963e2a1-d10f-4d4a-bfd2-a2ade57a2827",
+ "id": "bundle--c4162419-88dc-4e53-95ee-d441e95927b1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json b/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json
index 4677e60153..43e9845eae 100644
--- a/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json
+++ b/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9e6a9557-22d4-41b8-b40e-91408ce604d7",
+ "id": "bundle--d9865d90-2ac5-4e9a-a9b9-4c1f9df0dcb7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json b/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json
index 8b905e2689..1e448ab0e0 100644
--- a/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json
+++ b/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6c207fbd-1373-4e67-a30c-6536d5277e7e",
+ "id": "bundle--de80263e-8a1d-4969-92c1-b88db82c98f7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json b/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json
index f168e45d7f..bbe3e9f990 100644
--- a/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json
+++ b/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eaeb4d5e-5212-4772-b0f2-76520350b144",
+ "id": "bundle--bd7696cd-f21e-4fae-bb74-85140957aaa9",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:06.578Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can read the name of application packages.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:01:01.200Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has read the name of application packages.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
diff --git a/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json b/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json
index 1c064a7e95..bbfa6af1ef 100644
--- a/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json
+++ b/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--82855e69-99c9-4a58-8023-a6f06aaf03d8",
+ "id": "bundle--aa838953-0118-4606-8793-1a6d0cb80740",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json b/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json
index 48fb3d6d5d..26f9a9f4c9 100644
--- a/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json
+++ b/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6381be90-7bc0-49ef-b5ab-0335008f4fea",
+ "id": "bundle--bc49cb16-f194-4e9c-9569-6551f2221e63",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json b/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json
index e38e536a9b..2a0b85af61 100644
--- a/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json
+++ b/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--760fd41e-4902-48d0-83ed-e755e2c4e11a",
+ "id": "bundle--389eb2c5-cdf9-4b8a-801a-a1c3fd8442d5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json b/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json
index 4f59bded5a..332ee9b089 100644
--- a/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json
+++ b/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e880b6b-8abe-4a95-ba66-a93c7b0a4c6f",
+ "id": "bundle--c5531fb8-77e9-4181-9edd-780d670feb92",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--642ae344-57b0-4fb4-aa40-43112b484bbc.json b/mobile-attack/relationship/relationship--642ae344-57b0-4fb4-aa40-43112b484bbc.json
new file mode 100644
index 0000000000..a128ac422d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--642ae344-57b0-4fb4-aa40-43112b484bbc.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--cf9e0d25-58a9-4416-bb52-50b051cd40d6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--642ae344-57b0-4fb4-aa40-43112b484bbc",
+ "created": "2025-08-29T22:02:12.326Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:02:12.326Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s contact list.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json b/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json
index 74160d2585..9bcc901df8 100644
--- a/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json
+++ b/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b56f668e-c39b-4e3a-a941-bc34ce36473d",
+ "id": "bundle--84fcc51c-abd6-491e-987b-d7de21235697",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--64a55364-3ad1-40e8-92a2-58a7a71a18c9.json b/mobile-attack/relationship/relationship--64a55364-3ad1-40e8-92a2-58a7a71a18c9.json
new file mode 100644
index 0000000000..c6af86e827
--- /dev/null
+++ b/mobile-attack/relationship/relationship--64a55364-3ad1-40e8-92a2-58a7a71a18c9.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--a01da587-291f-486e-afa8-d8ec13c3380b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--64a55364-3ad1-40e8-92a2-58a7a71a18c9",
+ "created": "2025-06-25T15:37:54.563Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:37:54.563Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json b/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json
index 499f5cb2a0..d86fa7db89 100644
--- a/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json
+++ b/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7d08b320-7c2a-42e9-bd83-7d7d5b897836",
+ "id": "bundle--2ca55810-9f91-472b-8e3d-527572dae7b3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json b/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json
index a44dd66baa..c5bf165ac4 100644
--- a/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json
+++ b/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94a95199-f996-4710-b8c7-64107b645911",
+ "id": "bundle--3d4c6acd-4098-4234-b8b0-1546f2e6f159",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json b/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json
index 1e6a68052a..8128a41a98 100644
--- a/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json
+++ b/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2e260424-9abd-4d15-8c8c-34eacc7f39fe",
+ "id": "bundle--21799b2a-b8f0-481f-a4d0-947d74eaa6ba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json b/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json
index 8a6a45b6cc..de40e16aab 100644
--- a/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json
+++ b/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18b817fc-0192-4135-8a64-938bd38d2262",
+ "id": "bundle--d8f2ed3e-b2c5-45ee-a75c-6075e2b24c3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json b/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json
index e76a4a01b7..0f9bf852e6 100644
--- a/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json
+++ b/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--080cf878-6b92-49ed-96c6-ff4022fa80ff",
+ "id": "bundle--7ec52c49-4fff-45ff-a064-dc2ffee9f8cf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json b/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json
index 04c588894d..5cd22e9f68 100644
--- a/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json
+++ b/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b2bcd30b-cca0-4c8b-b7a0-87d6c7663b6d",
+ "id": "bundle--5a13c034-09b4-470d-95c8-1d6e0339ccfd",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:09.125Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather SMS messages.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:01:17.043Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered SMS messages.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
diff --git a/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json b/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json
index bc2e906bbe..c30976a47e 100644
--- a/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json
+++ b/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--88e09153-3e50-473d-bce4-b8a6d6a5c9d4",
+ "id": "bundle--026ced56-190a-43b3-bebb-55d8ad9110a7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json b/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json
index a781f9dcba..bc8916d8ac 100644
--- a/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json
+++ b/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d70c8ad6-3129-4b35-96c9-3bddeea0020c",
+ "id": "bundle--7719ab67-67ec-4c70-a64e-fad625f0c2eb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json b/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json
index f740317204..63166ddd4c 100644
--- a/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json
+++ b/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e39cb0c0-e68c-410e-a3fc-011b046b2c37",
+ "id": "bundle--69c466d5-b5ee-4f78-bd1a-a37b41882a8c",
"spec_version": "2.0",
"objects": [
{
@@ -14,19 +14,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:09.807Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:22:17.600Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has performed overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has launched overlay attacks through the \u201cInjection\u201d activity.(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json b/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json
index eccfc7673f..28e89f135f 100644
--- a/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json
+++ b/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--53390711-8d98-43e3-a135-3b1d59883339",
+ "id": "bundle--e165e8b9-ebb2-4c3b-9303-9afc0ec1f568",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json b/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json
index edb0946774..bfb6758608 100644
--- a/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json
+++ b/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c24b70cb-2993-42ad-ad9b-bf864caa8d7f",
+ "id": "bundle--30bb441e-891f-495d-a70d-d1e2fd0dd35d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json b/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json
index f94eb90743..a92378d698 100644
--- a/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json
+++ b/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--71cf10dc-4e80-4126-a715-299d1c952287",
+ "id": "bundle--71d22fe3-b6c1-407d-a16e-1d701749eab0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json b/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json
index 2964167af9..6c2e3b324f 100644
--- a/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json
+++ b/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5e7b1fab-1ab5-4c85-b66c-4fe6b8ef100d",
+ "id": "bundle--bc8e5b8f-6b3c-4f92-8a61-c98cb30f02a3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json b/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json
index 90ce501295..c5d655d307 100644
--- a/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json
+++ b/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8bf07ae-e7e6-4e81-a595-5213e0d1b72d",
+ "id": "bundle--21d652b1-e32a-43bd-99a4-eb136818fd81",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--66be8672-6075-4309-b287-c9b81249f610.json b/mobile-attack/relationship/relationship--66be8672-6075-4309-b287-c9b81249f610.json
new file mode 100644
index 0000000000..83c2482004
--- /dev/null
+++ b/mobile-attack/relationship/relationship--66be8672-6075-4309-b287-c9b81249f610.json
@@ -0,0 +1,37 @@
+{
+ "type": "bundle",
+ "id": "bundle--a1aecc92-7101-4380-af64-d36613492b07",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--66be8672-6075-4309-b287-c9b81249f610",
+ "created": "2025-08-29T22:11:23.343Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:11:23.343Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has exfiltrated sensitive information over C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json b/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json
index 7c216f5a85..1876fa96b7 100644
--- a/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json
+++ b/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--91f9f58c-c6a6-43db-a603-e0fe07965067",
+ "id": "bundle--f8f05392-e759-4aaa-a936-f3dab05125ba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json b/mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json
index acdc349804..076d2a5609 100644
--- a/mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json
+++ b/mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--01da8994-3e33-48dd-b17a-f7ea442aa742",
+ "id": "bundle--705f6c85-fbd9-427c-a78a-5d647679907a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json b/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json
index 073e86c767..8a8dd80e22 100644
--- a/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json
+++ b/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--75519eea-6737-409b-9000-6f5b43d714c8",
+ "id": "bundle--e1f509f4-3d1f-473a-9700-a605eabb6e5c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json b/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json
index c59d1cf224..1f2b312846 100644
--- a/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json
+++ b/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d5635611-e0fc-4280-9a9b-c0afce0e7ab9",
+ "id": "bundle--dfe730c6-2300-4bd1-b51a-3f4c293dc996",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json b/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json
index bd1865156a..73487603d0 100644
--- a/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json
+++ b/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--48c11d1a-ca98-4230-acf7-b9b0e0e42115",
+ "id": "bundle--54386ec0-3a46-4eee-86f9-53ef71c45f4e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json b/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json
index e83bb30536..29557e9a09 100644
--- a/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json
+++ b/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bc1ce9aa-df64-4c10-93e6-65a58459b08b",
+ "id": "bundle--6ab2d9f6-4db1-4e77-8251-8b1275e6656e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json b/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json
index 668d1a49c8..9ff37a95b9 100644
--- a/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json
+++ b/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--184582c1-2385-40d9-bc14-863b8ce48746",
+ "id": "bundle--97ed9ad1-ce02-4475-8d87-49c91b0bf026",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--68267f97-b22e-4cd5-a417-0771a1741a32.json b/mobile-attack/relationship/relationship--68267f97-b22e-4cd5-a417-0771a1741a32.json
new file mode 100644
index 0000000000..a9d4742fd3
--- /dev/null
+++ b/mobile-attack/relationship/relationship--68267f97-b22e-4cd5-a417-0771a1741a32.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--0bbf6c33-eb09-43a0-80f5-8106862f60a7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--68267f97-b22e-4cd5-a417-0771a1741a32",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31",
+ "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json b/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json
index 57f56fa5d8..713abd1e76 100644
--- a/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json
+++ b/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6603c535-8174-4649-92d9-48acf826725c",
+ "id": "bundle--0a554a63-317d-4149-9559-d1168bc8c66a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json b/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json
index 3529c6c44f..61ff233634 100644
--- a/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json
+++ b/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d12af012-59eb-4d92-8564-25fadb1812d8",
+ "id": "bundle--c6dce348-fbe8-443e-9bfd-231494432655",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json b/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json
index c293990bef..f43eed5f04 100644
--- a/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json
+++ b/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c644829c-eccc-41e2-b114-439c10020b4d",
+ "id": "bundle--9b074bc5-d8e7-4db7-ace1-45c3c48a7d19",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json b/mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json
index 1d72b3ce1a..1fd6240857 100644
--- a/mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json
+++ b/mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50f61c38-f8b0-4972-9176-00b6e91f0b42",
+ "id": "bundle--2784cf83-db6c-4c1f-b192-2432397271e0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json b/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json
index 11531c3612..282d73514b 100644
--- a/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json
+++ b/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e2fd9ff-c061-4c56-bb42-0a1d45cb1d09",
+ "id": "bundle--8d7034a3-61da-4f8b-b084-75e8236a199c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json b/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json
index 87b8baa8e7..dfb5f82bcb 100644
--- a/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json
+++ b/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8937ec49-901b-4e64-8b38-513dd61fad94",
+ "id": "bundle--f12e6314-f37f-4575-91d1-1f34df7ba032",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json b/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json
index 75de6415c3..bc362a0528 100644
--- a/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json
+++ b/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--114e1647-7690-4e27-a6db-bd6e231f6e31",
+ "id": "bundle--1410a80c-528c-4027-ae50-ed24af95e666",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json b/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json
index 643a89743a..1ea1fb8c1a 100644
--- a/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json
+++ b/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c6842d6f-e76e-47f8-8617-f9f6455c954c",
+ "id": "bundle--ed1ea4b2-a176-4777-9100-29a158ad97be",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json b/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json
index 2bd24f47ce..367fa63ce7 100644
--- a/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json
+++ b/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f793a859-6947-446f-b4d0-8244ab193611",
+ "id": "bundle--13f2bf12-dc60-4015-9a34-48465d5997fa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json b/mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json
index 367d594a1d..a08a161172 100644
--- a/mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json
+++ b/mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--af131717-548a-4a2e-81b6-5d03dc1ad8e1",
+ "id": "bundle--a2f5135d-91a5-4db4-b396-c4d8b6112eb6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json b/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json
index 7c92ad61e2..cd858fb4b0 100644
--- a/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json
+++ b/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--556c6acd-d827-4333-a6a5-24662e0cd198",
+ "id": "bundle--227b94db-adec-4070-a34f-faef214084de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json b/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json
index 78c8f21c77..3bfc616e29 100644
--- a/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json
+++ b/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2f867bbc-be32-47eb-a1a9-014e6457f529",
+ "id": "bundle--42a4e09c-b7f6-4f23-9f52-5b699ba604da",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json b/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json
index 458097c440..9712eef9c8 100644
--- a/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json
+++ b/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7e91d7db-904a-4992-9875-5c6543d188cc",
+ "id": "bundle--558b933e-7ad2-4c51-8775-ec0d2d106c93",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json b/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json
index a868ff16e7..7a25f023b5 100644
--- a/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json
+++ b/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2aa97ffd-5ebb-4c75-9106-b9590f9ca757",
+ "id": "bundle--ccfecc01-ba0c-4eda-bf62-5791629b8ceb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json b/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json
index 3c6f0d540c..885b7e6440 100644
--- a/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json
+++ b/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--201aa74e-f562-4a07-936c-c7d710c4b7de",
+ "id": "bundle--6b5893c6-7a85-4a02-80bd-c50f00ec5d96",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json b/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json
index 5650dd6041..3687e7a23e 100644
--- a/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json
+++ b/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b12b8cf-db02-48be-a0d3-a7ab30f1f14e",
+ "id": "bundle--74158aa9-1588-498f-8172-0a28cde61198",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json b/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json
index 7bbd21ce18..607594951a 100644
--- a/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json
+++ b/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--508745fc-9c80-4063-9817-37cc774d5873",
+ "id": "bundle--b7e0982c-3f2b-4f5a-ade7-4651b712ddf7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json b/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json
index 6b1633dbcb..6b5231ebd3 100644
--- a/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json
+++ b/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--164f8b62-a44d-4279-8cf5-cc2e107d1f1b",
+ "id": "bundle--bd2a43a5-2780-4379-81a2-3a731ef29f7d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json b/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json
index cabae792b6..74d80eb66c 100644
--- a/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json
+++ b/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f2d0d21b-2220-4c38-828f-3f44fad0f2f6",
+ "id": "bundle--c490ba65-981f-4913-b3b9-f4a1e15ae4b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json b/mobile-attack/relationship/relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json
deleted file mode 100644
index ec7bd41bcc..0000000000
--- a/mobile-attack/relationship/relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--e1d702af-65cc-424c-ab1f-e0771049add6",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e",
- "created": "2023-03-16T18:26:45.940Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-VerifiedBoot",
- "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
- "url": "https://source.android.com/security/verifiedboot/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:16.980Z",
- "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json b/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json
index b270f5a8a1..1eb625a4d5 100644
--- a/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json
+++ b/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b61e433a-dec9-430d-ade1-35f062ed1637",
+ "id": "bundle--ef5644fd-f9c4-42fe-a0f1-b40befade9b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json b/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json
index ad5a6ccce4..0cc4734989 100644
--- a/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json
+++ b/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--785879ef-8b42-4000-b9d9-e7e9d4fa87ce",
+ "id": "bundle--4a989a97-8019-4a77-af49-b40f64a1d8c6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json b/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json
index b09f1cedf7..b01430a736 100644
--- a/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json
+++ b/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e276e1c6-382f-4b9a-a21f-bd4be1438b91",
+ "id": "bundle--91a2e92b-150b-4225-abba-a416cb50e885",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json b/mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json
index 4e76f461a2..00a42740af 100644
--- a/mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json
+++ b/mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7ae2b435-fad5-45d0-9490-0d2048287c23",
+ "id": "bundle--6150e214-ecf5-4ff5-9f4e-5368388c1f15",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json b/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json
index cfb3557bea..5ddfaf9ecb 100644
--- a/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json
+++ b/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--71caa874-ac93-4637-a679-319d9d7c4423",
+ "id": "bundle--6d20be46-142c-4247-b299-0986b7ef2359",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9.json b/mobile-attack/relationship/relationship--6aa306e2-36f3-4cce-aba1-c9a4624e8a59.json
similarity index 53%
rename from mobile-attack/relationship/relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9.json
rename to mobile-attack/relationship/relationship--6aa306e2-36f3-4cce-aba1-c9a4624e8a59.json
index 8fe37c5f90..3ff52d7e5a 100644
--- a/mobile-attack/relationship/relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9.json
+++ b/mobile-attack/relationship/relationship--6aa306e2-36f3-4cce-aba1-c9a4624e8a59.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--11bdf17d-938f-405e-983b-83493765d132",
+ "id": "bundle--ff9356e9-fd72-472c-aed7-6223e199885d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9",
- "created": "2023-08-23T22:50:55.591Z",
+ "id": "relationship--6aa306e2-36f3-4cce-aba1-c9a4624e8a59",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:57.599Z",
- "description": "Application vetting services may detect API calls to `performGlobalAction(int)`. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f",
"target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json b/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json
index 0400658917..b301ff40f0 100644
--- a/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json
+++ b/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5a57504c-4367-4187-bada-f20887053c32",
+ "id": "bundle--0087ca2a-dedf-442a-8087-70a507448390",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json b/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json
index 76fd00b34d..0850a279ba 100644
--- a/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json
+++ b/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8ad70b87-1e98-4f44-b620-9dfcbed93493",
+ "id": "bundle--04dda559-1857-42e2-9107-a3c16b4cfee6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json b/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json
index 65c98445c1..5017d464df 100644
--- a/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json
+++ b/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e67bd08a-df0d-4d58-a3d4-d12de4f26217",
+ "id": "bundle--93abfa4b-6c6f-480b-929b-a1526acd4c59",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json b/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json
index c61dee92d6..8942c732c8 100644
--- a/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json
+++ b/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fb45c5f7-3f28-4027-8ad3-ed7adae934e1",
+ "id": "bundle--73fc3351-6903-4354-969e-0a5fa39855b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json b/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json
index 0cf42bf4ef..6960e38d7c 100644
--- a/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json
+++ b/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--32a11f41-6371-4056-8251-e7de20e0a4ae",
+ "id": "bundle--f4ec5e3c-6612-463c-8cca-eec7ba52eb98",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json b/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json
index 820e4fcb84..902d640cc7 100644
--- a/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json
+++ b/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9e705412-4ea7-4f78-ac56-a3dc6f6dd50b",
+ "id": "bundle--67a67be2-bbe5-4ee4-89a9-488118859815",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6b7783d9-415c-4134-b984-b7dac929c59d.json b/mobile-attack/relationship/relationship--6b7783d9-415c-4134-b984-b7dac929c59d.json
new file mode 100644
index 0000000000..0c96fd5b1c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6b7783d9-415c-4134-b984-b7dac929c59d.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--a881b79f-b9c1-44b6-98b3-2018ea8112ee",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--6b7783d9-415c-4134-b984-b7dac929c59d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b",
+ "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json b/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json
index 8c0121a4d3..6caff379ab 100644
--- a/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json
+++ b/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d4575c4-c00b-41a9-a06e-b0d26dc77b38",
+ "id": "bundle--5c7022b5-ec37-45c4-bd86-e3786dcea3be",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json b/mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json
index 79c020677e..1670729bd6 100644
--- a/mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json
+++ b/mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b87c7683-5b95-45f2-a601-dfbad47774eb",
+ "id": "bundle--d4ed4063-f532-4178-9a9d-2b2b91fc3c0d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json b/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json
index a8e25419de..70d37b91ad 100644
--- a/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json
+++ b/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--07ea4257-443d-4282-a207-3e97ac4eb5f8",
+ "id": "bundle--9cc07f98-cbe7-4250-b6fe-9876f47955ff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json b/mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json
index 355c8f637e..9c443cac91 100644
--- a/mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json
+++ b/mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--538c273a-68c3-4a28-8ac8-44eb3a80b682",
+ "id": "bundle--ed9f8b3f-2fed-41d2-b1c8-a6331dccd984",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json b/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json
index 8345fa6cc6..2c0894e0fa 100644
--- a/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json
+++ b/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--afc87356-6468-4007-ac31-c0046d5f79e4",
+ "id": "bundle--704ff02e-e186-4eea-a655-d0401a42880e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json b/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json
index a269685e70..ed3fd8dd8d 100644
--- a/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json
+++ b/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ea49cc12-9a59-487a-97a9-1c649d6984b8",
+ "id": "bundle--fc5215ec-bb90-41e7-bddf-9cfbabecc259",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json b/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json
index 7eaa5a1a1c..2de32cea45 100644
--- a/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json
+++ b/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ac64ee08-8bb3-4263-9e5b-38db72578e81",
+ "id": "bundle--4279bce6-df18-4ea8-ad65-7fbfed3d75a4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json b/mobile-attack/relationship/relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json
deleted file mode 100644
index ddee1b5598..0000000000
--- a/mobile-attack/relationship/relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--fe995b5d-910c-4b8a-9126-709a01019204",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd",
- "created": "2023-08-07T22:48:30.275Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:21.032Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json b/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json
index 6290fbcfa0..740c7895aa 100644
--- a/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json
+++ b/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2905ecd6-8c05-430c-8a32-5d89bc1e9d01",
+ "id": "bundle--74128d8b-a84c-4588-b6a4-7100d8060a0a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json b/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json
index 401c0e49a7..2c3d1e3981 100644
--- a/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json
+++ b/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--22425918-d230-43e1-a81c-be62bf08ab00",
+ "id": "bundle--113292ee-cd78-4b62-8087-6675c4f26eb5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json b/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json
index 539c11f616..febcea25e2 100644
--- a/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json
+++ b/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--918874ef-8279-4a8e-952d-c60fdb26d8e2",
+ "id": "bundle--e1729763-ada0-40e4-accb-c077305d80a4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6d0c1fb2-095f-4cd7-9594-0299823e3b0e.json b/mobile-attack/relationship/relationship--6d0c1fb2-095f-4cd7-9594-0299823e3b0e.json
new file mode 100644
index 0000000000..048a53120f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6d0c1fb2-095f-4cd7-9594-0299823e3b0e.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--34cc97b1-a17f-4cc1-80c1-d2559ebf56bd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--6d0c1fb2-095f-4cd7-9594-0299823e3b0e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67",
+ "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json b/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json
index 26285b9cd0..1e00232ed4 100644
--- a/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json
+++ b/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--545b1a1d-a276-4b1f-841c-72c112c8a0aa",
+ "id": "bundle--7d3cfc6d-0328-4d56-9888-1c222c605be3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json b/mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json
index 21fd1ade66..a4e808f71e 100644
--- a/mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json
+++ b/mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--528232a1-9f73-4c86-be10-ac50203ab18c",
+ "id": "bundle--3a12448a-7216-48b7-8e09-726170add550",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json b/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json
index f46d79a529..bc94c85b71 100644
--- a/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json
+++ b/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--935433ca-eafd-4ff2-9cc0-70565dd411da",
+ "id": "bundle--5f91a398-bcd9-4812-9f6c-6eb7dd5b8889",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json b/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json
index 568e4bd4e4..3dafdaf46b 100644
--- a/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json
+++ b/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e27d9b2f-a244-4839-a7c6-a8cf5353d16e",
+ "id": "bundle--4a4649e3-dc48-49fb-91c4-34aa3a6a7579",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json b/mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json
index 56c086e465..b1e740ad7f 100644
--- a/mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json
+++ b/mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f9c3f93-6925-4b8c-ab47-5ab80d7d6aa6",
+ "id": "bundle--f168a438-7deb-4c38-b6f8-cff42b7a084d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json b/mobile-attack/relationship/relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json
deleted file mode 100644
index 8d4d84ac9d..0000000000
--- a/mobile-attack/relationship/relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--ebe0ea26-5ff5-4671-ae4b-7788e5c481d3",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108",
- "created": "2023-03-20T18:57:17.059Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:22.920Z",
- "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json b/mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json
index feb5273c0f..416ce91bed 100644
--- a/mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json
+++ b/mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62d498b1-7e57-4896-8216-ff266e415aa5",
+ "id": "bundle--c7cbbb10-6549-43db-84a9-5b52f07734d9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json b/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json
index 50bf1567a6..811888ffc3 100644
--- a/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json
+++ b/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--258e45f6-82fc-47b3-aee1-1641546fa1e5",
+ "id": "bundle--9a04f13d-622c-4411-a289-d21fe68c9815",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json b/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json
index 669f814358..b1b87276a5 100644
--- a/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json
+++ b/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2e7be185-7ba9-4e28-b059-897f6cb63a28",
+ "id": "bundle--43ea62ad-f78b-4d98-b812-0f37e42748b1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json b/mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json
index 67b0bb83a2..b45995befc 100644
--- a/mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json
+++ b/mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d69bc70c-e3b1-4f58-a76b-46418a50e1b2",
+ "id": "bundle--2cfac8c7-f958-45c0-b446-3211495a5cd0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json b/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json
index 69c6d241c2..a0df3aaf4a 100644
--- a/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json
+++ b/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e18f79bc-df60-409c-ae63-1e7b159eece9",
+ "id": "bundle--fc38abfb-ec9a-42ce-bd7f-709d24814745",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json b/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json
index e37ce81f30..4a6d41e6a2 100644
--- a/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json
+++ b/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cce0770d-4397-4c9d-8b18-dab6c3357e9c",
+ "id": "bundle--7f6916c7-965d-4302-8afc-ca06b4e5c5d0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json b/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json
index 7fdb058023..519692f55f 100644
--- a/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json
+++ b/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--782cf159-789e-4545-927b-f40158bb5061",
+ "id": "bundle--d0cc579f-adec-4f37-9de2-d0ecc0d10b9c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json b/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json
index f268859441..b5ab7989ed 100644
--- a/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json
+++ b/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--42351bfc-9635-4bbe-9a69-5ad7e01fb330",
+ "id": "bundle--57c14f78-81a1-4234-ad30-77c241d02132",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json b/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json
index 601ec3b768..e97391a59a 100644
--- a/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json
+++ b/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8ea15f9-eacc-48b9-98e8-0a4ff0064e44",
+ "id": "bundle--1cf98219-541d-4ee7-970c-27230d3d3b36",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--13aba849-5004-4457-9f3b-49e470b589e0.json b/mobile-attack/relationship/relationship--6f8ae8db-9657-45d9-bad8-5aef68644e76.json
similarity index 52%
rename from mobile-attack/relationship/relationship--13aba849-5004-4457-9f3b-49e470b589e0.json
rename to mobile-attack/relationship/relationship--6f8ae8db-9657-45d9-bad8-5aef68644e76.json
index 9b6d894d80..e8df68e123 100644
--- a/mobile-attack/relationship/relationship--13aba849-5004-4457-9f3b-49e470b589e0.json
+++ b/mobile-attack/relationship/relationship--6f8ae8db-9657-45d9-bad8-5aef68644e76.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--e27f1712-1bf5-4753-8eb2-0d8682be287b",
+ "id": "bundle--350872dd-0156-4557-a326-a5278aa631c1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--13aba849-5004-4457-9f3b-49e470b589e0",
- "created": "2023-03-20T18:43:44.617Z",
+ "id": "relationship--6f8ae8db-9657-45d9-bad8-5aef68644e76",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:07.597Z",
- "description": "Application vetting services could look for connections to unknown domains or IP addresses. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "source_ref": "x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6f96e9f0-1054-40f5-a8f9-3f926624752d.json b/mobile-attack/relationship/relationship--6f96e9f0-1054-40f5-a8f9-3f926624752d.json
new file mode 100644
index 0000000000..b3af6f60eb
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6f96e9f0-1054-40f5-a8f9-3f926624752d.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--bfbc7f66-f67b-435e-83a7-1d6716487e2b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--6f96e9f0-1054-40f5-a8f9-3f926624752d",
+ "created": "2025-08-29T22:01:00.191Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:01:00.191Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling itself.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json b/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json
index cb14eb0beb..901ed2af2e 100644
--- a/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json
+++ b/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--10e0ffde-f2bf-4a68-865c-ff6cae67f650",
+ "id": "bundle--345aa20e-7611-4e10-880d-ea5a94c508b5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json b/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json
index a13912ef1f..e22f77d2b0 100644
--- a/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json
+++ b/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--615877b5-40cb-4258-892e-5e67ce71d14f",
+ "id": "bundle--a7e4971a-93e3-45fb-b1cf-1ac7e2afc4df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json b/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json
index b71258e2fb..f773917c09 100644
--- a/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json
+++ b/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0b1548af-8e86-4714-9fa9-5ace79c58957",
+ "id": "bundle--07f6a835-8ef9-405f-a5e5-3ae8e20b7d6b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json b/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json
index b454398472..25c6c90279 100644
--- a/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json
+++ b/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c269ee07-40a5-481e-93e6-162ec4039c9d",
+ "id": "bundle--24131d12-5e22-40a0-a754-77207b6fa3ce",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--70215e99-74e2-4a6a-999a-76507c20a82d.json b/mobile-attack/relationship/relationship--70215e99-74e2-4a6a-999a-76507c20a82d.json
new file mode 100644
index 0000000000..499bd0e7b0
--- /dev/null
+++ b/mobile-attack/relationship/relationship--70215e99-74e2-4a6a-999a-76507c20a82d.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--40cc4565-78d6-4f6b-ad5f-771b3356f311",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--70215e99-74e2-4a6a-999a-76507c20a82d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23",
+ "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json b/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json
index 602048a1c6..2c8dd7e2c3 100644
--- a/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json
+++ b/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da554311-edcd-4d99-b48f-537cdd918d6e",
+ "id": "bundle--c75d0689-1282-46d9-8b98-b51e54db55d1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json b/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json
index e6e2757c85..664ebe773b 100644
--- a/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json
+++ b/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--19ad2c08-5d2d-4be7-aec7-1239480b1d2b",
+ "id": "bundle--c15b15f4-228d-4a4b-9ea7-c28451ab30ef",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json b/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json
index bc186ea704..020b4bb7d5 100644
--- a/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json
+++ b/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--04f7731a-c1c6-40a7-bd0b-5d8f0bbe6621",
+ "id": "bundle--5ace899d-0ee0-4b99-8bb1-5bd68f259484",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json b/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json
index c7321f08e5..6cf6c7db4d 100644
--- a/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json
+++ b/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--933e4886-1fbb-45d9-a21d-a20055115f97",
+ "id": "bundle--5770eaec-c536-46c1-a5a5-7bf60443cf29",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json b/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json
index 63c51057db..92d527e151 100644
--- a/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json
+++ b/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--072ce2a5-d257-4f37-93c5-5ce268944f71",
+ "id": "bundle--bcee1a23-b5b2-4e49-b0dd-089284ae5c4d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json b/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json
index a73523a08a..cfe304e612 100644
--- a/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json
+++ b/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f9fb79ff-5885-4b67-8a03-f5568041b79b",
+ "id": "bundle--88fe346a-88ae-4240-b91c-7bb1a0e12514",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json b/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json
index 223ba3e99d..d11ac6e00f 100644
--- a/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json
+++ b/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6aaf8caa-9d5d-4c0b-bdd7-982e2ac64870",
+ "id": "bundle--679983e9-0a67-47a3-beb7-27c0eea9636b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json b/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json
index 8240056e7e..f9f7de4dd4 100644
--- a/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json
+++ b/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f0252edc-32bf-4d02-be2e-d952afe9e209",
+ "id": "bundle--db98cc36-e584-4c78-865a-df321bfa263b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json b/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json
index 192d8c4b9d..f516bbc998 100644
--- a/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json
+++ b/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fecd0c42-f92d-4cdd-8e47-372a2522b3c5",
+ "id": "bundle--bc059eba-7359-41b9-b44a-1f6a0292d70e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json b/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json
index 2ff016c743..1a3d712def 100644
--- a/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json
+++ b/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--423f05ea-00de-45db-a2f3-53af66ca71a9",
+ "id": "bundle--2cce5119-a061-489a-9511-2882333184d6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json b/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json
index 009695d490..d03960cd9f 100644
--- a/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json
+++ b/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--00bf846f-f8c1-4d65-9a78-7d99538c1170",
+ "id": "bundle--08d98290-fe17-4767-b6fb-9fee97bb0199",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json b/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json
index cf3d9a77b0..1ad2fd96f3 100644
--- a/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json
+++ b/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d00b54f9-2756-4291-b58a-da738ad44288",
+ "id": "bundle--8c38d322-6391-4814-8bfe-c32f3c21d456",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json b/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json
index 54b2feaa9d..8d135207e5 100644
--- a/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json
+++ b/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a45050f1-5b4c-4dc0-bb47-1435ef0be026",
+ "id": "bundle--ddb93622-5075-4a80-a3a5-ade3d89d1f5d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json b/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json
index 56b0619c38..a5986421d0 100644
--- a/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json
+++ b/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c485dd25-f519-4e4c-b0af-49bd98b424ea",
+ "id": "bundle--60c68055-c2c0-4ddb-86a5-98d86f74ae33",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json b/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json
index b1be972264..7607e970ac 100644
--- a/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json
+++ b/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a2ed97e-01f4-400e-be64-1651d1d93831",
+ "id": "bundle--2dad4baa-4302-4367-8866-32026f087277",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json b/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json
index 5121cb4323..7c562fd406 100644
--- a/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json
+++ b/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--34a6d470-dd92-4058-b1bf-c1077fe2f3c9",
+ "id": "bundle--48b66e39-66e9-4cf0-bd1a-45d0d8cadaad",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json b/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json
index 3510f54a81..92237f6dcb 100644
--- a/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json
+++ b/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cc55ae21-bb2d-4bf7-911a-c209f72b255a",
+ "id": "bundle--a93c51e7-9d00-4e87-8db3-e76b9c089476",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--72bb936a-a255-4823-9675-b39c7e19873c.json b/mobile-attack/relationship/relationship--72bb936a-a255-4823-9675-b39c7e19873c.json
new file mode 100644
index 0000000000..ab927a24ea
--- /dev/null
+++ b/mobile-attack/relationship/relationship--72bb936a-a255-4823-9675-b39c7e19873c.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--0fa64456-bbee-4a8a-94a8-8384b68961db",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--72bb936a-a255-4823-9675-b39c7e19873c",
+ "created": "2025-08-29T21:58:46.849Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:58:46.849Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json b/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json
index 412d7823c8..58beb807c5 100644
--- a/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json
+++ b/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf498650-51e5-4e32-b622-b382cadc6c82",
+ "id": "bundle--7600d61e-fae9-448c-929b-2beda14fb7e9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json b/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json
index a5481f0ea1..2f312bccef 100644
--- a/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json
+++ b/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c6df8b75-fe53-4016-bf8f-cbeb95b9e3d3",
+ "id": "bundle--a4003d13-35d8-4e31-bc11-874ce18adc05",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json b/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json
index 14b077a763..10e76a057d 100644
--- a/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json
+++ b/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--845758d6-2cca-4309-a559-f095f61602d6",
+ "id": "bundle--a3ffa186-e8b3-4721-80ef-5f1784c073c8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json b/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json
index 185fee1143..dc73b2a1f0 100644
--- a/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json
+++ b/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9c2671cd-a15c-4185-a73a-394c82c901bf",
+ "id": "bundle--e52b84cb-1481-4527-9e06-17e7fdc6c784",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json b/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json
index d534456b6c..eafa6c4492 100644
--- a/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json
+++ b/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e9084bc8-7694-4baa-b6fc-359ee3b77b25",
+ "id": "bundle--7a967ece-cc5a-41ea-8cd1-48cab74a1e52",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json b/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json
index eb66fbde99..2bf69b0e01 100644
--- a/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json
+++ b/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--64f2b85f-6601-43d3-88ab-1722e678fbbc",
+ "id": "bundle--b13edae8-415b-4475-843c-50677c8c6649",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json b/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json
index 8a8a7ebf4a..8e5ac8cc62 100644
--- a/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json
+++ b/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--11211ec7-8647-44e4-a851-c7c768bbf8e5",
+ "id": "bundle--f0b33d93-c74b-43b6-a823-2b635268c52c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed.json b/mobile-attack/relationship/relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed.json
deleted file mode 100644
index 7ac1091d13..0000000000
--- a/mobile-attack/relationship/relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b6575f2f-3265-4466-bef0-b747fcba9b1d",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed",
- "created": "2023-03-20T18:58:56.347Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:31.664Z",
- "description": "Application vetting services can detect unnecessary and potentially abused location permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json b/mobile-attack/relationship/relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json
deleted file mode 100644
index 898f1acbe1..0000000000
--- a/mobile-attack/relationship/relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--042fc961-7d6a-44f8-92e0-cfc6d4d886aa",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba",
- "created": "2023-09-22T19:15:56.498Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:31.870Z",
- "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json b/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json
index 43162c629b..c09f5cbde0 100644
--- a/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json
+++ b/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d29fa4f-1ae9-430d-a1eb-30704ee47e97",
+ "id": "bundle--5a6d5f3b-1e4f-424b-a5fe-9a5900552869",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json b/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json
index ec97d17c02..3d6c93b2b7 100644
--- a/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json
+++ b/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26cae3a4-9366-48e7-8aad-1aec059e9d7e",
+ "id": "bundle--06b9c741-b772-4803-b512-f9092589dd08",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json b/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json
index ebc8658f0b..2a1a838677 100644
--- a/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json
+++ b/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f3a94f57-1741-46d5-9806-557d74006405",
+ "id": "bundle--7383f69c-3a47-4a91-afc1-2a3d6853af95",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6.json b/mobile-attack/relationship/relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6.json
deleted file mode 100644
index 1acb636f09..0000000000
--- a/mobile-attack/relationship/relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--dbc0237b-7ace-4210-b818-1b1fa59327a5",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6",
- "created": "2023-03-16T13:31:29.822Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android Privacy Indicators",
- "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
- "url": "https://source.android.com/devices/tech/config/privacy-indicators"
- },
- {
- "source_name": "iOS Mic Spyware",
- "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
- "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:32.694Z",
- "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json b/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json
index d160a75df3..2454e3ea1f 100644
--- a/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json
+++ b/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a67434c5-f5c8-4383-8524-f907ca6b0e6a",
+ "id": "bundle--ec00f9f0-d7ef-4739-81aa-7de00aa7a4af",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json b/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json
index d1b649784e..92fbbb7e54 100644
--- a/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json
+++ b/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1c39c72-36d2-46c1-a123-be91f45120da",
+ "id": "bundle--4f5c7582-6880-456c-bd86-b504dfeaf204",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json b/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json
index b4e7fb8e14..1e1e87f0d2 100644
--- a/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json
+++ b/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d48665b0-759f-4a38-90ae-4a3c83e6babf",
+ "id": "bundle--527d299e-3714-4314-aa4b-9eab48ece08f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json b/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json
index 06b314352e..dfb0890b0f 100644
--- a/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json
+++ b/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--626efa10-0918-46b7-bac9-87c4a2abef2f",
+ "id": "bundle--6d4b6051-e474-4aab-8b13-0b56aa682f2e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json b/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json
index bfa4136758..77d7510132 100644
--- a/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json
+++ b/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ba206455-812c-4aee-9f43-ea320990318d",
+ "id": "bundle--37958fd8-3690-40ce-8650-1d6709b74758",
"spec_version": "2.0",
"objects": [
{
@@ -14,19 +14,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:33.722Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:23:56.915Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has logged keystrokes of an infected device.(Citation: cyble_chameleon_0423) Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has stolen PINs, passwords and graphical keys through keylogging functionalities.(Citation: ThreatFabric_Chameleon_Dec2023) ",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json b/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json
index ee415acb6e..4c9c33c4bf 100644
--- a/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json
+++ b/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9ccc3bde-7520-4f43-9c1c-ea23168bceaa",
+ "id": "bundle--6ec1cb76-bb1b-4603-ae13-a88cd2418a81",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json b/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json
index f91eb3d28a..e9778b9277 100644
--- a/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json
+++ b/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d66cbae6-3d7e-4052-ba36-028b7255b108",
+ "id": "bundle--995bd410-3185-4aa3-a662-5e8c64849014",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json b/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json
index c8b8c97bd9..e4bbbc8293 100644
--- a/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json
+++ b/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8a87da69-7327-4903-a080-842da8fb1af6",
+ "id": "bundle--108b57a2-8e41-4b88-aeed-96c45bca24f8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json b/mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json
index 96c9f620ff..e9b44646e1 100644
--- a/mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json
+++ b/mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--251c335c-50c3-4069-a7d3-987be399ea7c",
+ "id": "bundle--939fd0a2-10dc-4b77-9e7d-b891128be523",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json b/mobile-attack/relationship/relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json
deleted file mode 100644
index fd24eb84b1..0000000000
--- a/mobile-attack/relationship/relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--8415098f-fd1e-4ba2-ba94-dcdec6aaeeca",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce",
- "created": "2023-09-22T19:16:35.609Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:34.789Z",
- "description": "The user is prompted for approval when an application requests device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json b/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json
index eb916f3723..e94554a963 100644
--- a/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json
+++ b/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a7a03076-e33b-4f06-94c9-a018ef1d760b",
+ "id": "bundle--62acd244-05a3-4b86-a896-bc9e7811a571",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json b/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json
index 8b0dfe1f6d..a7d9ee4a02 100644
--- a/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json
+++ b/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df713684-9da2-4cb1-8b5b-b747ce3894d7",
+ "id": "bundle--5c50b27f-23e5-4499-aa87-bcf299de59a3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--76abec4d-469b-4f99-8c8d-625adca37702.json b/mobile-attack/relationship/relationship--76abec4d-469b-4f99-8c8d-625adca37702.json
new file mode 100644
index 0000000000..1f4495c63b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--76abec4d-469b-4f99-8c8d-625adca37702.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--1186ab99-d2d5-4852-a282-b913527f14f9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--76abec4d-469b-4f99-8c8d-625adca37702",
+ "created": "2025-10-08T14:41:20.204Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:41:20.204Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has captured audio from the device by taking control of the microphone.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json b/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json
index 5cf1efe258..8cb5a9387c 100644
--- a/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json
+++ b/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3954164-47f9-4f8e-8a6e-59463ad3380b",
+ "id": "bundle--7ff9d601-9f68-401d-9f09-bf7e7f03875f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json b/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json
index deaeb6ac4e..da932687f8 100644
--- a/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json
+++ b/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3be9b4e7-cecb-4575-a7a5-037ac8133f21",
+ "id": "bundle--c4565bc5-26b0-4729-8b67-8c496acbc409",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--77740738-9796-4991-8898-dc2ba10c9c25.json b/mobile-attack/relationship/relationship--77740738-9796-4991-8898-dc2ba10c9c25.json
new file mode 100644
index 0000000000..2b47e0a99b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--77740738-9796-4991-8898-dc2ba10c9c25.json
@@ -0,0 +1,25 @@
+{
+ "type": "bundle",
+ "id": "bundle--3d0f7a29-d67f-4f29-bcd1-efcca8337b79",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--77740738-9796-4991-8898-dc2ba10c9c25",
+ "created": "2025-09-17T15:30:01.512Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-17T15:30:01.513Z",
+ "description": "OS feature updates often enhance security and privacy around permissions. ",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json b/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json
index d6b3367d34..a12e60cfbc 100644
--- a/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json
+++ b/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0b362426-4e57-4601-bf7a-5ea978155bd4",
+ "id": "bundle--e491fc4e-3481-4e54-9784-bd291b116dda",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json b/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json
index a508ba162f..d6bb14dab2 100644
--- a/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json
+++ b/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--47a10004-823e-4b8b-8f90-315cdd6ba0f6",
+ "id": "bundle--506b8803-1081-4e41-9ede-e529a868bfa9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json b/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json
index 935c1f9afa..fe9b203db1 100644
--- a/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json
+++ b/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--12fc3fc5-a9ec-49d5-8a25-bd16d4ea7fbb",
+ "id": "bundle--089b27ef-d55d-4a7c-a482-63263069e33e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json b/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json
index 8af911833f..cda5c5fc27 100644
--- a/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json
+++ b/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe463704-24d8-43dd-a2f0-a28be790e53e",
+ "id": "bundle--b07d9bb9-736d-40cd-9706-583b7fd6c79b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json b/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json
index e7267debfd..d781446346 100644
--- a/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json
+++ b/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--73893dc6-57a7-4c94-8c2c-45c8c089d802",
+ "id": "bundle--72003c62-4bc8-41f9-96d2-de20dac50f8b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json b/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json
index 5389c99ea5..dc6a446abd 100644
--- a/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json
+++ b/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--524301cb-ac14-4023-883e-41d3aa0ff62e",
+ "id": "bundle--787e0850-21bd-4d69-b651-f2ff572e530a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json b/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json
index a59756451c..1c25c416bd 100644
--- a/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json
+++ b/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a756d5f8-c487-4d95-8cb7-1db74d37a3e4",
+ "id": "bundle--5c9f0d30-207a-4c7d-9efa-a562d82d4087",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json b/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json
index f838fea572..9cd28be127 100644
--- a/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json
+++ b/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--36860586-2505-4723-8325-aa22e9e08712",
+ "id": "bundle--f2b071cf-5b1e-412b-b041-32edfc883fa2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json b/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json
index 7e4c1c8046..ff9baca8e3 100644
--- a/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json
+++ b/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aa8f8ddd-a1ae-4e12-8f88-7768ee9d6cb3",
+ "id": "bundle--2dd77b1d-30c6-4b69-9139-87970fab3e19",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json b/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json
index edfec6b245..5e38967af9 100644
--- a/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json
+++ b/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--184bcb86-04a1-44bd-8ccc-1e35dfff05a1",
+ "id": "bundle--d4ce7655-8fc0-477c-bf99-4859f7c4785d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json b/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json
index 159ad08115..4dd7f1fdbd 100644
--- a/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json
+++ b/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aabe16b5-7eaa-4892-85fa-6ece7f5678fb",
+ "id": "bundle--622fe4d2-a28c-44c5-8483-54ed22800cd8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json b/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json
index 125c0310fe..38e26ab3b6 100644
--- a/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json
+++ b/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a89a4427-e3de-4989-9ddf-00a1fb71f98e",
+ "id": "bundle--e2e157b5-fff3-441e-9230-e82e227a4a0b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json b/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json
index 278a8a24f4..97160a2de1 100644
--- a/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json
+++ b/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1b99b9ad-8db1-4643-b9b4-2b05c73688ea",
+ "id": "bundle--eb763817-b387-4149-97d7-57761ec9c00d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json b/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json
index 97f7d63578..2acff5efb8 100644
--- a/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json
+++ b/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e7bd7893-59a8-4906-8639-37fa2dfb8ea7",
+ "id": "bundle--2298fb86-81e7-4f41-8135-1b011f2d7e7b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json b/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json
index e76a7f6bb4..d9d6c5784c 100644
--- a/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json
+++ b/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aafe3ae3-8dbf-4595-bf66-b8bddf31113c",
+ "id": "bundle--a3ddfb1b-43b8-4cb1-95dd-fcd488eb613e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json b/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json
index eb2fd6f296..7da145ad0a 100644
--- a/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json
+++ b/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1ef8788b-6290-4b9f-a0cc-3b04f5630940",
+ "id": "bundle--e6de9563-3774-4085-ad4e-2e2b5a65a763",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json b/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json
index a0c4132e71..3a2f625c1b 100644
--- a/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json
+++ b/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7eb5567d-997d-45e0-9262-f247d8e7e517",
+ "id": "bundle--35fabb6d-eef0-44ef-8c3a-d3d39e75a480",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json b/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json
index b243597936..aac8df976b 100644
--- a/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json
+++ b/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--65d77914-0c9d-4868-8e22-2c9f86004a28",
+ "id": "bundle--db62d06b-f8c1-4173-bd91-b6c6a1177038",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7a06bcec-4d1a-4b50-89f8-36f145512050.json b/mobile-attack/relationship/relationship--7a06bcec-4d1a-4b50-89f8-36f145512050.json
new file mode 100644
index 0000000000..9eb90225c6
--- /dev/null
+++ b/mobile-attack/relationship/relationship--7a06bcec-4d1a-4b50-89f8-36f145512050.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--5bc09538-7028-43b2-805c-27dff110921c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--7a06bcec-4d1a-4b50-89f8-36f145512050",
+ "created": "2025-10-08T20:12:59.696Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:12:59.696Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has captured the device\u2019s screen.(Citation: ThreatFabric_Chameleon_Dec2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json b/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json
index 559d828eea..0432d17ff6 100644
--- a/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json
+++ b/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3ed59451-484e-486c-b3d0-78975c5111b6",
+ "id": "bundle--6d84a6c4-5e1d-4233-ba89-a2a8be7da8ba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json b/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json
index e25718ce34..5134100106 100644
--- a/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json
+++ b/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aeff196c-07b0-4108-855a-4b054aa57b3f",
+ "id": "bundle--eef0fd6e-1e5a-4d01-ac4d-b71ca53b6508",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json b/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json
index 0ff20a3364..a6d95c4606 100644
--- a/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json
+++ b/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6cb80414-956e-4aac-8b7f-e0f8c9dcb2c8",
+ "id": "bundle--b075828c-43ca-4aac-a5aa-aecc623954a9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json b/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json
index f211a086a6..f458625c6a 100644
--- a/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json
+++ b/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eed5aa8b-edd8-4f9e-84d9-252d3e780296",
+ "id": "bundle--b1779f84-f32b-4380-af51-4341f3e1a7e4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7ae22228-126b-4661-b378-6cdc0b90f35d.json b/mobile-attack/relationship/relationship--7ae22228-126b-4661-b378-6cdc0b90f35d.json
new file mode 100644
index 0000000000..4097fa26e5
--- /dev/null
+++ b/mobile-attack/relationship/relationship--7ae22228-126b-4661-b378-6cdc0b90f35d.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--25e0fd2f-d160-4f9f-8c37-d007677b31ce",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--7ae22228-126b-4661-b378-6cdc0b90f35d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc",
+ "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json b/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json
index e02338b4dd..bff92689ae 100644
--- a/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json
+++ b/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f8b94eda-f857-4306-8c0f-bde541488b44",
+ "id": "bundle--79972df0-782a-47ba-b2fb-157fb906b3a3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json b/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json
index 7a9dee83f5..27baca5fb1 100644
--- a/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json
+++ b/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2e57a198-a082-4a71-a363-1d6da8335514",
+ "id": "bundle--ff071bf6-a468-4554-a069-e818f52c5ac2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json b/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json
index 9dae91644a..d7062018a5 100644
--- a/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json
+++ b/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--97fc2320-3ee6-47af-b902-e7ae3af048fc",
+ "id": "bundle--1a12308d-901c-4040-bfe1-a66afe1f0e8e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json b/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json
index ffe5c5e765..b0644a23b3 100644
--- a/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json
+++ b/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--833caccb-bcd7-4c07-b496-492bb69893c1",
+ "id": "bundle--efff8cc1-c436-4f13-aa98-87b202c2ef47",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json b/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json
index 3d32368fb8..8625d0160e 100644
--- a/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json
+++ b/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0ae28846-77ec-4278-ad79-78a77c9a6bca",
+ "id": "bundle--c702da55-3c70-4137-81cb-aac8b55760b4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json b/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json
index 9cfcbf8935..cf9fcfd041 100644
--- a/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json
+++ b/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f6dacd95-901a-498a-b92f-9472e19fca13",
+ "id": "bundle--2bd7810c-331f-4d61-80f4-c9b637cd9c86",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json b/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json
index 5e0d3df2e5..57e2ff28f8 100644
--- a/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json
+++ b/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--deec6994-95b9-44b9-bdef-aeca4b36c6f9",
+ "id": "bundle--eb54c752-71d6-4bbb-a8b2-2e7613859da1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json b/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json
index 61164e584b..a741fc6e60 100644
--- a/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json
+++ b/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d963e6a-4909-4e21-975c-01db3f5deab3",
+ "id": "bundle--0e35325f-c849-4e2f-beb6-56cd959f3e82",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json b/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json
index acfd599a37..569da59a22 100644
--- a/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json
+++ b/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3cb6170b-4825-40a6-83d3-d479fbf20df6",
+ "id": "bundle--6d471166-475f-4a2c-8a58-e09a01ce58d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json b/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json
index 41980a8c7b..8d807bf247 100644
--- a/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json
+++ b/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b79e51a8-35d3-4ac6-978b-c5a923514402",
+ "id": "bundle--1eb9e3a9-bdf7-450f-8dbe-151ce32be5a6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7bb81707-5a6b-4332-8c32-4af208db7ae1.json b/mobile-attack/relationship/relationship--7bb81707-5a6b-4332-8c32-4af208db7ae1.json
new file mode 100644
index 0000000000..1893fbddac
--- /dev/null
+++ b/mobile-attack/relationship/relationship--7bb81707-5a6b-4332-8c32-4af208db7ae1.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--aa81bb9a-7be9-4551-b99c-0338383eaa35",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--7bb81707-5a6b-4332-8c32-4af208db7ae1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19",
+ "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json b/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json
index ae632ec505..1e84cbe0a7 100644
--- a/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json
+++ b/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dbb11bd9-02ee-41e7-aaff-d8202b2cdb95",
+ "id": "bundle--7d6c106b-4263-4eb6-b962-14c6879956f1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json b/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json
index d5f64569a4..fa472159d0 100644
--- a/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json
+++ b/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2330c234-028c-4777-81e1-4a035f195579",
+ "id": "bundle--48a3802f-8ed0-43aa-8ae8-96df316067e5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json b/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json
index 47c6af3ebc..10adfacdb1 100644
--- a/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json
+++ b/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--155558b5-a2d8-4bde-8d82-63bc120c5761",
+ "id": "bundle--fd45c742-6c14-4182-a632-ac3b135fc8cb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json b/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json
index 36d0de6c37..cc9db7b765 100644
--- a/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json
+++ b/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--54842116-46af-4e9e-a7ac-a93ac8081a07",
+ "id": "bundle--7bbfeb49-e9e0-48cd-b447-cd1fb43960a4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json b/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json
index cce4163216..fc56f5d3c9 100644
--- a/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json
+++ b/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef1a9db1-614e-4d78-943f-fcf27c9394ba",
+ "id": "bundle--97b3f982-de5f-4006-b697-3942401198e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json b/mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json
index f8e6cb0493..3edb9ff2fe 100644
--- a/mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json
+++ b/mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--23680b0e-14b4-4158-b87b-20e95776d1cc",
+ "id": "bundle--f027a0ab-f3d1-4860-afe9-1a73e186dba4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json b/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json
index 7b3e9d04c1..b17b080501 100644
--- a/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json
+++ b/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef0e152e-381f-4e26-91f3-4384cd1b4877",
+ "id": "bundle--f27edbce-447b-4783-b9f6-f520147fb695",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b.json b/mobile-attack/relationship/relationship--7caf7bf7-7b53-4e5c-8c18-db8d6698e421.json
similarity index 52%
rename from mobile-attack/relationship/relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b.json
rename to mobile-attack/relationship/relationship--7caf7bf7-7b53-4e5c-8c18-db8d6698e421.json
index b1ee43b019..ad4b311439 100644
--- a/mobile-attack/relationship/relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b.json
+++ b/mobile-attack/relationship/relationship--7caf7bf7-7b53-4e5c-8c18-db8d6698e421.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--52b34049-a614-43ba-8bc6-f96cfe30653e",
+ "id": "bundle--bbbd64de-13e8-429d-8786-5dba257de45e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b",
- "created": "2023-03-20T18:59:46.622Z",
+ "id": "relationship--7caf7bf7-7b53-4e5c-8c18-db8d6698e421",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:41.425Z",
- "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858",
"target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json b/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json
index ff0e8fd673..a118e0f8fc 100644
--- a/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json
+++ b/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f8d2c0b6-f86a-46eb-8a2c-2c7fa213f11b",
+ "id": "bundle--a57de68f-5da7-4591-b963-2dd27b6ad06b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json b/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json
index 2dec811203..33691ba406 100644
--- a/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json
+++ b/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc683adb-0704-4471-98bc-38e61d47e587",
+ "id": "bundle--c175b2a2-2ac5-4756-8af9-9d52b99217e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json b/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json
index 78c8857e32..3040d9654a 100644
--- a/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json
+++ b/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--51198691-428b-4f66-8078-e7229746d966",
+ "id": "bundle--39eeef56-c6c1-4029-8dbb-6ce968db8dba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json b/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json
index c73f9d5f1b..9ee07f40ba 100644
--- a/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json
+++ b/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7643071d-af8e-44f8-bf8f-6ae4c8eb2930",
+ "id": "bundle--954337e4-d007-4667-b321-3ba548b4c39c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json b/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json
index bc805ca751..31621545d2 100644
--- a/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json
+++ b/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a7011236-31d1-44cf-a0b4-13938fa2bed2",
+ "id": "bundle--602ad873-673d-4dd8-a5b7-4c5219eb2eda",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json b/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json
index 5bdea18fd2..4f83ead2e0 100644
--- a/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json
+++ b/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--83cec08d-61ce-43dd-85ce-51311d1208ed",
+ "id": "bundle--0c72708f-0d9f-471b-b9c2-7736c3ebdb42",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json b/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json
index 5fae76f77e..ca1ab2c5fb 100644
--- a/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json
+++ b/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--278dbe04-4dde-40d1-a40b-f68d376940ee",
+ "id": "bundle--e72913d8-cab6-416f-97da-4fb5f902ef89",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json b/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json
index 46f0677c73..048a0de9a8 100644
--- a/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json
+++ b/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--85590050-0d3b-4cd3-9598-fb561f28e708",
+ "id": "bundle--28fe8db3-342d-4e7e-875f-9c3d12562793",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7e8956e3-7d90-412d-a82f-d61e43239923.json b/mobile-attack/relationship/relationship--7e8956e3-7d90-412d-a82f-d61e43239923.json
deleted file mode 100644
index 826dc8b283..0000000000
--- a/mobile-attack/relationship/relationship--7e8956e3-7d90-412d-a82f-d61e43239923.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--304d1135-efad-4284-85c0-e3529685f84d",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--7e8956e3-7d90-412d-a82f-d61e43239923",
- "created": "2023-03-20T18:44:01.387Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:46.272Z",
- "description": "Application vetting services may indicate precisely what content was requested during application execution.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json b/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json
index 7ce2716f3c..f4d4e57ce3 100644
--- a/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json
+++ b/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cad716fc-0ace-4e70-9143-1c566d5c297d",
+ "id": "bundle--1a386178-32f3-4a69-841c-426e7148b6b1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json b/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json
index 87abc6b38a..4e4009e3aa 100644
--- a/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json
+++ b/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2bacdf54-dde9-47dd-ac3f-79c987fc568e",
+ "id": "bundle--de1687b4-50b5-48a4-83d2-148f5452599f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json b/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json
index 02ebecc6b1..8214bc284a 100644
--- a/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json
+++ b/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--49944454-7a32-4961-b784-bdceb2431daf",
+ "id": "bundle--dc56aef2-baef-4d56-8d71-503c7672a8d5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json b/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json
index 99be379ac4..e0f7e17c5a 100644
--- a/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json
+++ b/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7ddc3fbc-bc85-413a-b3b8-02afb1f0d046",
+ "id": "bundle--edbbb58a-9d1f-45cf-843c-e78711c7ab14",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json b/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json
index 876ddefbd8..75090b15ff 100644
--- a/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json
+++ b/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e0fbf59a-e18c-487a-a9d2-ab9a4bea2716",
+ "id": "bundle--eb378f31-de4d-4cd1-bf9f-b8a856d8bbd9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json b/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json
index 4fbbd7f0d7..38bf6970dd 100644
--- a/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json
+++ b/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e25a722-4c8f-48f3-b0bc-c657eff37ed9",
+ "id": "bundle--0d77ed85-025f-4c75-ae26-deaf0e89eae3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json b/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json
index 683c855f92..5066221840 100644
--- a/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json
+++ b/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef82f472-52d0-4cee-b8df-a7d1ecf48dff",
+ "id": "bundle--51488c94-2b7e-4050-9e6b-c72401a608ed",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json b/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json
index bf88c98932..c8cf0ce176 100644
--- a/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json
+++ b/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3157363e-0f64-48f7-a761-384f3b2e3db2",
+ "id": "bundle--2db3e377-c3f7-4a86-a2b5-bde920ced899",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json b/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json
index e4f8b4b1d1..c1310b439b 100644
--- a/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json
+++ b/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e4929b38-9a89-4dbe-8988-46d81aa1ec66",
+ "id": "bundle--3c0921ad-8747-4d34-aea2-2445eec947c1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json b/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json
index 790dad5b6e..738fb8d962 100644
--- a/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json
+++ b/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1cc147d4-9c72-413a-8f57-d5cbd6fe5249",
+ "id": "bundle--7697c746-85d1-421b-9742-d83b94be5ea6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json b/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json
index b286ca8946..90286dd932 100644
--- a/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json
+++ b/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe1a83e2-770b-4eec-81da-3646df037d99",
+ "id": "bundle--56377e8f-ea1d-4c61-82b7-de5bff4b6910",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json b/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json
index de49b132a0..812c00ecba 100644
--- a/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json
+++ b/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4ff56c0e-b6f7-4dd9-acbb-0fcad7dfcc49",
+ "id": "bundle--9061035f-4a9a-4334-95ef-8b1c9b05f587",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7793a066-d72b-4a60-9579-e16369ea7185.json b/mobile-attack/relationship/relationship--80fecb31-36e5-41e7-8064-15ccd22dbe8a.json
similarity index 52%
rename from mobile-attack/relationship/relationship--7793a066-d72b-4a60-9579-e16369ea7185.json
rename to mobile-attack/relationship/relationship--80fecb31-36e5-41e7-8064-15ccd22dbe8a.json
index e0c5a802f7..ef3be56836 100644
--- a/mobile-attack/relationship/relationship--7793a066-d72b-4a60-9579-e16369ea7185.json
+++ b/mobile-attack/relationship/relationship--80fecb31-36e5-41e7-8064-15ccd22dbe8a.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--dc9de211-9d54-473a-a53f-d64bc3af0780",
+ "id": "bundle--84eadf63-d19b-4805-b561-0307b4a00482",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--7793a066-d72b-4a60-9579-e16369ea7185",
- "created": "2023-03-20T18:57:55.221Z",
+ "id": "relationship--80fecb31-36e5-41e7-8064-15ccd22dbe8a",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:35.870Z",
- "description": "The user can view a list of apps with accessibility service privileges in the device settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json b/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json
index 09e4be8663..6ae0fe684b 100644
--- a/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json
+++ b/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7c1dd8ce-a47a-418d-8da4-09e908e91c96",
+ "id": "bundle--b8f25309-2c1e-49d1-87d5-a7199a071de3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8128aebb-c665-4939-9615-aee9125b6373.json b/mobile-attack/relationship/relationship--8128aebb-c665-4939-9615-aee9125b6373.json
new file mode 100644
index 0000000000..a2cfb3aa8c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--8128aebb-c665-4939-9615-aee9125b6373.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--d6c0d69a-2227-4d04-8f9e-ed87e8760a34",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--8128aebb-c665-4939-9615-aee9125b6373",
+ "created": "2025-08-29T22:05:18.786Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T14:31:22.774Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted and recorded sensitive information from the application to include user credentials. [GodFather](https://attack.mitre.org/software/S1231) has also leveraged a deceptive overlay that tricks users into submitting their device lock credentials which are captured.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json b/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json
index d26108cdd0..0d39a7d6ed 100644
--- a/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json
+++ b/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5bdd1ac0-4486-477e-81c6-4e9cb66570ef",
+ "id": "bundle--37e99dc0-2e3b-471d-82b8-2b118cb22a61",
"spec_version": "2.0",
"objects": [
{
@@ -14,19 +14,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:49.378Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can prevent application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:17:26.651Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has prevented application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--817d1e5f-5795-4189-81dc-bf90476e7adc.json b/mobile-attack/relationship/relationship--817d1e5f-5795-4189-81dc-bf90476e7adc.json
new file mode 100644
index 0000000000..aa6e5a9f6b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--817d1e5f-5795-4189-81dc-bf90476e7adc.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--a1e966be-1642-42f6-b1d3-eff0e6c328bc",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--817d1e5f-5795-4189-81dc-bf90476e7adc",
+ "created": "2025-10-22T21:26:05.954Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T21:26:05.954Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has sent the victim back to the home screen when the victim navigates to the malicious application's settings and has automatically approved any permission requests by clicking on the \"Allow\" button when a system dialogue appears.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json b/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json
index 73a760c96c..a278a1fcea 100644
--- a/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json
+++ b/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--089713dc-1f2d-4e32-bd81-f49583c82872",
+ "id": "bundle--7ba940dd-47fc-40b6-a809-975a8953b369",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json b/mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json
index 6499879ed6..6fceabb960 100644
--- a/mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json
+++ b/mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4af35781-60f2-4b18-a6e7-646093bd30ea",
+ "id": "bundle--ea8a7b24-ff71-4114-923d-3b20934b0ebe",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json b/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json
index 948a5639dd..981d711c43 100644
--- a/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json
+++ b/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--737ab9ae-a0ae-4e23-9936-093648082a64",
+ "id": "bundle--5ccf348a-cead-4438-870a-133fcd76cd66",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416.json b/mobile-attack/relationship/relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416.json
deleted file mode 100644
index 77a4426d11..0000000000
--- a/mobile-attack/relationship/relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--065c1d09-7f65-4fdf-bd74-53322deec2e6",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416",
- "created": "2023-03-20T18:52:56.247Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:50.263Z",
- "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json b/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json
index 64e1d67f91..35a33ae5db 100644
--- a/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json
+++ b/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c39e9ce6-33fd-41fc-a339-675b0efdf15b",
+ "id": "bundle--3499446d-b6b2-4c0e-a975-884b7ed6c690",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json b/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json
index 1adc5ed85f..5775c9e6df 100644
--- a/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json
+++ b/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--53ccc957-a563-48bb-8e2c-db086fdd6b80",
+ "id": "bundle--f00c2401-c6fe-4692-909a-588381f43d5c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json b/mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json
index 7d85bf50fc..45dc33bdc2 100644
--- a/mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json
+++ b/mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4c68849b-e1bb-4570-aa33-9a178cdffc0c",
+ "id": "bundle--a6ed2cea-bb37-4b7f-bb65-a689d09cd670",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json b/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json
index 0ed6bab07f..20a8ed9608 100644
--- a/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json
+++ b/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18117147-da74-434b-b847-160b109e6622",
+ "id": "bundle--6f75164b-d595-4937-b1c4-02fe93d2cd90",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json b/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json
index 0fe372ba33..f12242c210 100644
--- a/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json
+++ b/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d226940-0987-4943-85d2-2eb1a8986648",
+ "id": "bundle--75d50037-547a-4a24-8442-bd0df10f0013",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json b/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json
index 438ed65327..7fd2f9a6eb 100644
--- a/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json
+++ b/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ae392278-d5ea-4b73-9a72-359f674a2cef",
+ "id": "bundle--46a113f0-9a78-4ea1-8289-9528bed99095",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json b/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json
index 517faa4894..dd943d8d23 100644
--- a/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json
+++ b/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9b3a564e-5f2b-4f7e-b958-0566fe964753",
+ "id": "bundle--a981a03d-818e-4452-ad21-9dc7152d5cf7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json b/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json
index 57c4961cd2..4ba1822ac2 100644
--- a/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json
+++ b/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--57fd108d-471e-4dac-8713-b0b8be11561f",
+ "id": "bundle--40e5be39-6cb1-4444-b965-6553b2ee62b2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--82b58c75-239e-4dac-b848-bc1f3354adc4.json b/mobile-attack/relationship/relationship--82b58c75-239e-4dac-b848-bc1f3354adc4.json
deleted file mode 100644
index 9d0b70f7ea..0000000000
--- a/mobile-attack/relationship/relationship--82b58c75-239e-4dac-b848-bc1f3354adc4.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--fdc91541-ba59-4fe7-af15-7be45387f42f",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--82b58c75-239e-4dac-b848-bc1f3354adc4",
- "created": "2023-03-20T18:41:18.288Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Samsung Knox Mobile Threat Defense",
- "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
- "url": "https://partner.samsungknox.com/mtd"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:52.408Z",
- "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json b/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json
index 30989a7c58..f88f2677b4 100644
--- a/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json
+++ b/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e3e58514-3cc1-4729-aac0-555e520ce031",
+ "id": "bundle--342feaf3-905f-47cb-91c2-fa65de9a3509",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json b/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json
index 07ffd2235d..2d24e09bbd 100644
--- a/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json
+++ b/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c37debc8-4a0b-4a54-9d6c-f833cba71a0b",
+ "id": "bundle--c066f72c-b3e6-45f1-8fbd-27d81ab847f8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json b/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json
index c965338882..9b8cd2a59a 100644
--- a/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json
+++ b/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8fe3a81-2709-45d1-88a8-5c4b783ccee8",
+ "id": "bundle--c1dd3779-81f7-4487-8f70-868ce45de14f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json b/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json
index 4578789164..f5277a6340 100644
--- a/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json
+++ b/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f70fc9a-ca29-4e59-ba8a-4f7d8ab7460b",
+ "id": "bundle--3fedc422-56eb-4928-8f81-74f002854a17",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json b/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json
index d2bf7473f4..d3ca996f25 100644
--- a/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json
+++ b/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d13af83d-f51f-4561-aa24-a98e4fba92fc",
+ "id": "bundle--5a7a44b2-01b3-4d6b-a560-0e6340bf5bc7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json b/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json
index 8b45299b2f..c05e34a188 100644
--- a/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json
+++ b/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6c703115-1f64-4b17-a205-9b1dbe805460",
+ "id": "bundle--808dc978-3d32-4a0b-adfe-627e25fc64ec",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json b/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json
index 097e3fd6ee..54ba4d6cf8 100644
--- a/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json
+++ b/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--52c81ca1-93c8-4907-ade2-c87132677a03",
+ "id": "bundle--6733624b-1db7-443a-bfab-cc16f8eb6eec",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json b/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json
index e4cb45ad8e..2913092a5e 100644
--- a/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json
+++ b/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a6e8621d-14a4-4703-9a3f-f8bd650b1e5a",
+ "id": "bundle--249efa8f-9e34-43cc-b141-5729b72a03db",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json b/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json
index 36549d3cad..e88776590d 100644
--- a/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json
+++ b/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de0516b4-84ff-478b-86d8-b32c4fd04961",
+ "id": "bundle--af512142-3528-4c98-9730-762ac72eafd4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json b/mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json
index 2c661ebc04..099d708e30 100644
--- a/mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json
+++ b/mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--34240170-b10c-41be-aacd-73e0787e5f2c",
+ "id": "bundle--f6e1252d-c442-4896-8dee-b0470f5045df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json b/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json
index 3901f43c74..c33f2f421e 100644
--- a/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json
+++ b/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6cd812f-8b57-4b8a-82ec-f721f7deb705",
+ "id": "bundle--30cfc3c5-89ee-4372-83ca-6fe12d98ac12",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json b/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json
index 818a45550b..cac4c3f406 100644
--- a/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json
+++ b/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ac6f3d06-4902-40a4-b949-21056d4a2b02",
+ "id": "bundle--21d78e75-203e-4cc9-9131-cbc6ce566643",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json b/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json
index 9a6a368a54..7868fb59d2 100644
--- a/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json
+++ b/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d52dd1bc-9b06-439a-972f-6d234bafd5e9",
+ "id": "bundle--1f5889d9-e07d-4a2e-8681-40c76b6e20f5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json b/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json
index fab20f526c..eaf9bb0404 100644
--- a/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json
+++ b/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b498e89-364d-44f7-bc61-125f62bc281e",
+ "id": "bundle--6d90da4c-69b4-4156-97a1-a3c0fad9110c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json b/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json
index 6d4289c37a..13629f20bd 100644
--- a/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json
+++ b/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ba216b5b-c3ee-4dc5-81e0-3214478f5849",
+ "id": "bundle--288b99b4-3ae4-4c5e-b107-547786b81c7c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json b/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json
index 38383b8d94..9031266259 100644
--- a/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json
+++ b/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--884df0a2-d46d-40fb-8b6b-511d43695349",
+ "id": "bundle--089f01ea-929f-435b-b085-a0c891ba0fdc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json b/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json
index 330dc6b926..deb7d5678e 100644
--- a/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json
+++ b/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f6f9965a-e4af-413e-b9fe-b1323c796ac5",
+ "id": "bundle--0d454336-d4b0-479a-9fcb-4cd5cfd613e8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json b/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json
index 64b99b93a8..900ef00f7e 100644
--- a/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json
+++ b/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3d95032f-4f0a-4efd-af68-43dc02c5c55c",
+ "id": "bundle--b0648923-f2f8-4949-99ab-6b72a7730acb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json b/mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json
index 885bf3b64e..4bd6a9ba50 100644
--- a/mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json
+++ b/mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6a5cb037-a97e-4559-b758-34823b607c3c",
+ "id": "bundle--9dfa9b9b-7a70-43d3-a00a-96c3957feab7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json b/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json
index 53220a7822..d1c65a18a4 100644
--- a/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json
+++ b/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b69f0d09-1693-41e5-87b3-cac0f9fb41cc",
+ "id": "bundle--a7fa6656-b0a9-4b71-affd-e60e89941f18",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json b/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json
index dba271558d..1725660e62 100644
--- a/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json
+++ b/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9814699c-a6fc-40a2-b12f-c9876ec09f17",
+ "id": "bundle--fb9063ef-2b79-46d3-a25b-68d50e476eb4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json b/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json
index 7622540946..0758b80a0e 100644
--- a/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json
+++ b/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6fc7403c-bead-4a3c-aef3-74eb577af717",
+ "id": "bundle--135bf875-442e-492a-99fe-42c40b80e351",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json b/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json
index f7ec6cf793..e98df398f9 100644
--- a/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json
+++ b/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ec24edb2-6e1a-4a27-a364-cd0d1e136d76",
+ "id": "bundle--80c43cc5-4d5e-4a95-96a0-a8a4ea191103",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json b/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json
index a56a6c1140..2b28748986 100644
--- a/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json
+++ b/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b0d3657a-43a1-4061-a467-672b82ac4820",
+ "id": "bundle--4f10de61-3bc8-417e-9e0a-f2f782e38939",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json b/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json
index 4d534892bd..51dd96c3f6 100644
--- a/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json
+++ b/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8fb9feac-cf8d-48c9-95d1-a3f6648e661d",
+ "id": "bundle--f79c3a07-8231-449c-b700-14082c34f829",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json b/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json
index 6e56acb813..8290325776 100644
--- a/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json
+++ b/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d99d6044-f904-4c3f-8c34-beed5747a3e2",
+ "id": "bundle--4f1df749-d139-46b0-80b6-9b011a4e7dfb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json b/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json
index c72879d6ab..e165343fa6 100644
--- a/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json
+++ b/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b07676d-03a5-44a1-8787-475e2e3f2ad6",
+ "id": "bundle--b2fea607-7c78-4c07-8012-b4b266c82864",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json b/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json
index 8a5237a7bf..cd7c06ff97 100644
--- a/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json
+++ b/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca1f3b92-858d-46f7-b7f5-f8091f3f21c8",
+ "id": "bundle--b92db749-7b7f-4511-8051-fccae21829da",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json b/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json
index d99a028e49..6856d1acdb 100644
--- a/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json
+++ b/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d9f65dbe-4237-458f-9c30-ce579d776e17",
+ "id": "bundle--c2f3eda5-1977-4608-8efb-96294d65b6f7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json b/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json
index b774d8c73d..03984c93a9 100644
--- a/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json
+++ b/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7006c77f-58b1-46f7-8b23-494fe545aa8b",
+ "id": "bundle--52ea8ebb-b704-43df-a61b-3dfd7d8d8018",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json b/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json
index 3416aa09cf..d81577923f 100644
--- a/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json
+++ b/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0ca91763-413f-4102-b902-7b61b56c9889",
+ "id": "bundle--d0119517-1c96-409b-adbe-d5008cd3f5cd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--886849fc-f83c-4d69-b700-bfad0def765d.json b/mobile-attack/relationship/relationship--886849fc-f83c-4d69-b700-bfad0def765d.json
deleted file mode 100644
index dc8940038b..0000000000
--- a/mobile-attack/relationship/relationship--886849fc-f83c-4d69-b700-bfad0def765d.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--18ad5751-abe0-4d17-a63b-515d411a6cd1",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--886849fc-f83c-4d69-b700-bfad0def765d",
- "created": "2023-03-16T18:32:30.054Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:49:59.268Z",
- "description": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json b/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json
index b6126ec5bf..0d62de86b9 100644
--- a/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json
+++ b/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c32f5d1c-a664-4870-858b-0b4e46b8bc5e",
+ "id": "bundle--f0d6257a-fbe0-49bd-95f9-1487d855aaf5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json b/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json
index 569a3c0c00..0d677fb57e 100644
--- a/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json
+++ b/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f2511e29-29ff-4686-af87-99edb7387e0b",
+ "id": "bundle--4bb0261c-d15a-44ec-b49f-2659829b908e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json b/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json
index 2a3cbb044d..b4e7dae728 100644
--- a/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json
+++ b/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bdae2347-b1d9-4d17-870e-70c3702a8b6b",
+ "id": "bundle--5e6e7ef4-b490-4363-8a80-16048593e18e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json b/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json
index 37a61b4d3f..d959394c8d 100644
--- a/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json
+++ b/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f01ead5-a83e-4167-9a5b-153e10f1e537",
+ "id": "bundle--0dd986f0-607e-42b9-b3f0-57798f8755f0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json b/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json
index 75f57f8ea7..a0ef3c6fe4 100644
--- a/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json
+++ b/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94e94d1f-033c-4b83-a459-b5a01d6e3777",
+ "id": "bundle--c3b3a8b4-a5ad-4dd0-b3ec-9b75721a4afc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json b/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json
index a35bc2673d..8b65ccd4fa 100644
--- a/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json
+++ b/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d2212fda-a466-42e4-990f-8f888cb499aa",
+ "id": "bundle--5f04453a-5524-4e32-96c9-8bc54a94962a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json b/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json
index 360901e72f..0af68b38e1 100644
--- a/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json
+++ b/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--619adf9a-270d-43d5-94a0-d13d0ca5f891",
+ "id": "bundle--f3fda3ab-a96a-49ab-97dd-687e0ff95db3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json b/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json
index 30e67e50d1..0a4c3f34f8 100644
--- a/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json
+++ b/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--baeecaa7-b66b-4f08-b110-5ed41469dcf1",
+ "id": "bundle--bc63a2c2-cc9f-48eb-abea-1cc6faec0678",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json b/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json
index badd95db75..0e280201c5 100644
--- a/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json
+++ b/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--649366c5-8274-4bc0-a1c8-c3a4bf51ba51",
+ "id": "bundle--412ced40-cc48-4d78-9f19-8f2f5423a2c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json b/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json
index 80c5d570bd..87691a4f18 100644
--- a/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json
+++ b/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9dccabb7-f6ca-4b58-8012-a716ecb61c48",
+ "id": "bundle--2f9e079a-5616-4ec2-9ec6-6eba949f8a42",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json b/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json
index 8a8fcb8c75..fe8f0ab5f2 100644
--- a/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json
+++ b/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39c6991b-46e1-4f27-82c1-2fbe195ea63c",
+ "id": "bundle--a77f6f4d-4354-487c-a5b8-5755e2ff4141",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json b/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json
index 10cee5cd63..f12958f3a2 100644
--- a/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json
+++ b/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--46492746-38e9-48fa-a2e8-1df4ee2419fb",
+ "id": "bundle--6190f828-52ea-44d7-a3dc-25192f4d8752",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json b/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json
index f5eaba17d4..bd6b5b9dae 100644
--- a/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json
+++ b/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--74d5173e-3278-42f2-9460-88d85fca35f8",
+ "id": "bundle--093fc3bb-5315-4180-ae84-22d4e0e97e4f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json b/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json
index 6ed4b532b0..5f2881349a 100644
--- a/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json
+++ b/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bfd53d44-0479-4c60-a8b7-663164907f80",
+ "id": "bundle--b3db7359-0671-4599-971d-aca6118c5251",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json b/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json
index 2a520fddaf..09b4e9a11c 100644
--- a/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json
+++ b/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8168b883-fbd8-4a75-aa76-14100776e7dd",
+ "id": "bundle--58c8b3ba-5126-4d98-86d6-ff3f41ca3264",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json b/mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json
index 8c5ab48230..f135d45fd8 100644
--- a/mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json
+++ b/mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1fe87eba-b50d-46b9-a5e9-89aa6022f349",
+ "id": "bundle--9cb2d59f-1a5b-41f7-8551-d7911f493ee7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json b/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json
index 05858655d2..09538e1813 100644
--- a/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json
+++ b/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c760b01d-fba6-4901-adb7-5b3ef94d9857",
+ "id": "bundle--3ba893e0-9a94-4ea6-8619-a4354b8ec820",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json b/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json
index ad75b0520f..5b90342539 100644
--- a/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json
+++ b/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--295d728b-a444-47ba-bf18-4129e689a72f",
+ "id": "bundle--249af74a-7273-4a62-8c3d-2512bced4399",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json b/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json
index 6f9f7cd6ab..0de1c56321 100644
--- a/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json
+++ b/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--35ce541d-1f4f-40e6-8e84-02671b7eb267",
+ "id": "bundle--2499db98-b8dc-4c4e-b2eb-8eb11516383b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json b/mobile-attack/relationship/relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json
deleted file mode 100644
index 80fb861e7d..0000000000
--- a/mobile-attack/relationship/relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--13fc4125-b0d6-4bee-8135-be036f575a9c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090",
- "created": "2023-03-20T18:58:30.773Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:03.724Z",
- "description": "On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b9c56b9-0807-4ce7-ad81-428aaf0e925b.json b/mobile-attack/relationship/relationship--8b9c56b9-0807-4ce7-ad81-428aaf0e925b.json
new file mode 100644
index 0000000000..abca0d34c2
--- /dev/null
+++ b/mobile-attack/relationship/relationship--8b9c56b9-0807-4ce7-ad81-428aaf0e925b.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--7c08d7d9-e89e-43f4-af39-430acc2f4eff",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--8b9c56b9-0807-4ce7-ad81-428aaf0e925b",
+ "created": "2025-09-18T14:41:56.525Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:41:56.525Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected the device\u2019s last known location.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json b/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json
index 13e529ed95..a9f8e24216 100644
--- a/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json
+++ b/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1b5dda66-06d2-4fdf-a371-fdd4913a3e76",
+ "id": "bundle--2c30603c-1c63-40ba-aa7b-e2e1410954a2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json b/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json
index 7cc9d99e7d..35365c5415 100644
--- a/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json
+++ b/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c11d34a8-f169-4364-bc40-66baa974d6c8",
+ "id": "bundle--60f0abf2-6363-4c27-8b08-4ba28ce502ea",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json b/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json
index ff96fff860..5dc6384054 100644
--- a/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json
+++ b/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3d82a078-175d-42ba-a4d8-54a9549c0e4e",
+ "id": "bundle--15d03357-95ad-45a8-b77a-7a486fcb465e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json b/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json
index 4a9a70cd9a..90b4de59c0 100644
--- a/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json
+++ b/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f065576-a66e-4dc5-9eb6-2c5daab71b49",
+ "id": "bundle--c7fb4353-cdca-4d3a-a194-d5a545958b50",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json b/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json
index 2e209e289a..a3693123d4 100644
--- a/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json
+++ b/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2bf5ae05-771e-46d8-95f7-2e181b551dbc",
+ "id": "bundle--7c137dd1-2d07-4470-ab81-ff725fa40e10",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8c7598a6-6046-491d-99a7-52c31974a9a9.json b/mobile-attack/relationship/relationship--8c5b7bb2-e431-4dcd-a27c-ea9101086a9f.json
similarity index 53%
rename from mobile-attack/relationship/relationship--8c7598a6-6046-491d-99a7-52c31974a9a9.json
rename to mobile-attack/relationship/relationship--8c5b7bb2-e431-4dcd-a27c-ea9101086a9f.json
index 7d3ee90933..14beb0c6aa 100644
--- a/mobile-attack/relationship/relationship--8c7598a6-6046-491d-99a7-52c31974a9a9.json
+++ b/mobile-attack/relationship/relationship--8c5b7bb2-e431-4dcd-a27c-ea9101086a9f.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--47e0dccb-277c-4fc2-a342-993f2aaa2e0f",
+ "id": "bundle--cc02c075-7403-43e3-8846-64998dc1f8aa",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--8c7598a6-6046-491d-99a7-52c31974a9a9",
- "created": "2023-03-20T18:57:40.504Z",
+ "id": "relationship--8c5b7bb2-e431-4dcd-a27c-ea9101086a9f",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:05.426Z",
- "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6",
"target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json b/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json
index ca4a869308..00ee8c612e 100644
--- a/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json
+++ b/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d43a4ea-4afe-4952-9a01-09295ee1eee8",
+ "id": "bundle--75ff049e-f5a1-4273-924c-a3f13a2c4dc4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json b/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json
index 4ed44f5452..9ae9cc3e20 100644
--- a/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json
+++ b/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e0bcfddd-dd3e-4051-b94d-dbc0ad05e800",
+ "id": "bundle--8d4efd9d-988d-46b7-9e56-c413d2bc49e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json b/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json
index 85b7b4ce2a..67118c0114 100644
--- a/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json
+++ b/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--596cc3d0-0a01-4ab7-b6eb-812a9ea51d55",
+ "id": "bundle--6f08aab1-700b-4b75-b7ef-567c0b812723",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json b/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json
index 778951ac11..802f061e0b 100644
--- a/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json
+++ b/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dae68f0c-ba27-45df-afd8-b886c339e519",
+ "id": "bundle--1d5cdea1-9e52-4e2d-97ff-12daf5040c3e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json b/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json
index bf11aef107..056d750780 100644
--- a/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json
+++ b/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f24910f2-bef2-4883-9e67-7e509431a29a",
+ "id": "bundle--64e940f2-6966-4b31-9d99-5881bb146d18",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json b/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json
index 5b69c83ca2..0ae639c19f 100644
--- a/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json
+++ b/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8fb70b01-613d-4815-bca1-0961f80fef3e",
+ "id": "bundle--af47dfa8-f883-4449-9e05-954cf1912200",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json b/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json
index b1bcfbd11f..787c0dd9e4 100644
--- a/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json
+++ b/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4d4a8966-c508-4645-b760-c35f52003a71",
+ "id": "bundle--36ecca7a-9ed2-42be-9762-2cd0c06d6e00",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json b/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json
index 66a3bdb928..910b71d03a 100644
--- a/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json
+++ b/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8031b45b-ce2b-4d9d-908e-bca214f38993",
+ "id": "bundle--ce241461-6093-40ad-94fb-d200a8659655",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json b/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json
index d86c789cdf..1944e177b4 100644
--- a/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json
+++ b/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef487444-07b8-42b5-82be-8f59b7e1e12d",
+ "id": "bundle--e00a706c-037e-4fa3-9101-0829d53eb3e0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json b/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json
index 059d06679a..323e028793 100644
--- a/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json
+++ b/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--370119d9-5a99-4d0c-b222-daa58943cb06",
+ "id": "bundle--7bc140c2-a277-4e3a-8346-af3699f4e490",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json b/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json
index b17bdf8254..de51bcb07e 100644
--- a/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json
+++ b/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--98eb17a7-edee-4b5f-a344-c80de877ab41",
+ "id": "bundle--297253bc-92e2-4468-8400-2e3c752b3e02",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json b/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json
index 6784ed95e9..063091b561 100644
--- a/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json
+++ b/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e744634b-ffdb-42d4-9028-b1859315c4b1",
+ "id": "bundle--b24e741c-559b-4021-a27d-4ac9c4215264",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json b/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json
index d61eb396e7..403f50a1ee 100644
--- a/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json
+++ b/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab7b322c-146b-456e-8ae1-dc9f4f9f0a5d",
+ "id": "bundle--8f3341c7-782f-4f58-b17b-f3d29aec7f86",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json b/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json
index dc4cc4dcbe..99356fee72 100644
--- a/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json
+++ b/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a8e2859-38e6-458a-8f05-0759a595a733",
+ "id": "bundle--3a3f21ce-e68e-409b-9529-9ae8c6ac15d0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f15a917-d5e6-4ce3-ab3f-9fe72311f699.json b/mobile-attack/relationship/relationship--8f15a917-d5e6-4ce3-ab3f-9fe72311f699.json
new file mode 100644
index 0000000000..cba6de7ad1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--8f15a917-d5e6-4ce3-ab3f-9fe72311f699.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--a0711540-be3f-4054-a5d6-805a62f30eb3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--8f15a917-d5e6-4ce3-ab3f-9fe72311f699",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985",
+ "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json b/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json
index 5db019a2b1..dd83b9d69a 100644
--- a/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json
+++ b/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3d270755-f27f-4316-9edd-2b09c91556aa",
+ "id": "bundle--f0eeac8b-fee8-46b0-99e7-fdf6c75c497d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json b/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json
index 265bac81d9..6dfec12082 100644
--- a/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json
+++ b/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--97c9d781-b369-43c9-965d-ac952c21a785",
+ "id": "bundle--823b778d-23af-48d1-be26-28cf5c800cdf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json b/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json
index 71fbe39554..d4750fde3a 100644
--- a/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json
+++ b/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5f86c852-c2ba-4a21-9c03-693464c540b7",
+ "id": "bundle--88c298d3-76e1-46c4-b214-6abe36547ee4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f478d97-f163-4476-b5b6-c2ff4b6389a7.json b/mobile-attack/relationship/relationship--8f478d97-f163-4476-b5b6-c2ff4b6389a7.json
new file mode 100644
index 0000000000..99d721fa48
--- /dev/null
+++ b/mobile-attack/relationship/relationship--8f478d97-f163-4476-b5b6-c2ff4b6389a7.json
@@ -0,0 +1,25 @@
+{
+ "type": "bundle",
+ "id": "bundle--c772d139-b94c-4073-9649-ee2109b879e9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--8f478d97-f163-4476-b5b6-c2ff4b6389a7",
+ "created": "2025-05-19T18:25:30.412Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-05-19T18:25:30.412Z",
+ "description": "For Android devices, users should be advised to enable Google Play Protect, which checks the device itself and the applications for malicious behavior. For iOS devices, users who are concerned about being targeted should consider enabling Lockdown Mode, which provides extreme protection of the device as well as data stored and transmitted. \nIn general, users should be advised against scanning QR codes and/or clicking on suspicious links or text messages, which may masquerade as device-linking instructions by Signal or WhatsApp.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+ "target_ref": "attack-pattern--a126c117-54e4-4b93-9e4f-72cc964e6760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json b/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json
index 66a1081c4c..39d3a6f9a4 100644
--- a/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json
+++ b/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1f81fba-faf7-4f65-8f26-2d9716687253",
+ "id": "bundle--251f2114-9159-4d4f-8407-c8f9b2592734",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json b/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json
index 770a1a84de..6268b22064 100644
--- a/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json
+++ b/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fbb54e70-f55e-4161-a7a5-84c96564836a",
+ "id": "bundle--af7ef91a-ef29-4d9b-84a1-12824b26bb16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json b/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json
index 83f215a33c..b5d1f67e0b 100644
--- a/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json
+++ b/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c6b1f081-6e9f-4c8e-8595-995c491eb029",
+ "id": "bundle--a7abd591-66d8-4d7c-920f-13ae37de4a25",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json b/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json
index cac9a16d53..5c36b32c04 100644
--- a/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json
+++ b/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3585cde2-945b-4d88-8b07-18eacc27229a",
+ "id": "bundle--b4c698e4-1d35-4597-aade-6c779c0c86af",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json b/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json
index 41dbe5a923..457019255f 100644
--- a/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json
+++ b/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--199f70e8-5e0c-4399-a92f-66880d808352",
+ "id": "bundle--13e5d64f-14b2-4a2e-9afc-e04ff0af9943",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json b/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json
index 71f1de2737..2c0236ce58 100644
--- a/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json
+++ b/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c609a592-2c67-40b7-890a-14d40fdfa8ec",
+ "id": "bundle--e86a81da-fe28-4651-9060-5cdd9f4ff150",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json b/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json
index dd22907e52..7183cf7d4c 100644
--- a/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json
+++ b/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--35cd407a-a57e-4ad1-ae5b-6f3d6252149f",
+ "id": "bundle--809a4f8e-1498-4b8d-a2c0-eefca09b7e23",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--904221c2-2486-4e0b-905f-5327ee299097.json b/mobile-attack/relationship/relationship--904221c2-2486-4e0b-905f-5327ee299097.json
new file mode 100644
index 0000000000..499cf0c4be
--- /dev/null
+++ b/mobile-attack/relationship/relationship--904221c2-2486-4e0b-905f-5327ee299097.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--0bf0a31e-4a64-4c6e-bd9c-e8555c8d9d3e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--904221c2-2486-4e0b-905f-5327ee299097",
+ "created": "2025-09-18T14:39:57.218Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:39:57.218Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected device information such as model, brand, buildId, Android version and manufacturer.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json b/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json
index 24c4538b74..eb1d34386b 100644
--- a/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json
+++ b/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c4afbea3-b60f-43d1-ab9d-ed542240e12c",
+ "id": "bundle--9c7b8c3b-64e5-4a08-ac39-4f9d2aa58bec",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json b/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json
index a1dfb5370b..669ea0f3a7 100644
--- a/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json
+++ b/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e0aed479-270c-4f95-90db-f05927bc239a",
+ "id": "bundle--3a29a338-ee43-4a4d-bd93-5aa8b69e0fab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json b/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json
index ad7ff6bac6..a743053cd7 100644
--- a/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json
+++ b/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--15aca92f-c604-4251-a3f4-ec08fe5e139c",
+ "id": "bundle--f856eba8-c4f2-4872-9e57-1c90be0fd06c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json b/mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json
index 2767813b7f..ebaa3c62a1 100644
--- a/mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json
+++ b/mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef5c34a8-568e-4f64-b6b8-4ca7605e1f62",
+ "id": "bundle--94a02392-c006-4f32-8536-2fa6fb6ca9f3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json b/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json
index 8ff31b0bd6..bbe84d6e97 100644
--- a/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json
+++ b/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--30ea752c-6811-45f1-ad49-270cdaf2d452",
+ "id": "bundle--5790e44a-26aa-49b9-a157-e35efca24915",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json b/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json
index dc57a9041a..1cc2048663 100644
--- a/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json
+++ b/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aeb07341-f1e9-48f3-b3ae-b5110d782575",
+ "id": "bundle--4b1ce32e-d925-4f59-816f-97d39851fede",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--8c034c66-18ad-4b30-9f17-ed574c10918f.json b/mobile-attack/relationship/relationship--918b985b-8731-4fc6-a505-4e070e7fca3b.json
similarity index 53%
rename from mobile-attack/relationship/relationship--8c034c66-18ad-4b30-9f17-ed574c10918f.json
rename to mobile-attack/relationship/relationship--918b985b-8731-4fc6-a505-4e070e7fca3b.json
index 0446040d54..25330cdfd0 100644
--- a/mobile-attack/relationship/relationship--8c034c66-18ad-4b30-9f17-ed574c10918f.json
+++ b/mobile-attack/relationship/relationship--918b985b-8731-4fc6-a505-4e070e7fca3b.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--bf42cb85-e0da-4df8-a3c5-3e6f91498993",
+ "id": "bundle--344fc1bd-3e46-4f4c-8fa3-b09c2958494a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--8c034c66-18ad-4b30-9f17-ed574c10918f",
- "created": "2023-03-20T18:56:20.203Z",
+ "id": "relationship--918b985b-8731-4fc6-a505-4e070e7fca3b",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:04.534Z",
- "description": "The user can view permissions granted to an application in device settings. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3",
"target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json b/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json
index d66eb65673..17339b8c20 100644
--- a/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json
+++ b/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e429dd4d-877c-422a-9175-5131c9f26f4a",
+ "id": "bundle--4e9224d1-faa2-4226-ae26-66f8434adb31",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--91a4924f-2519-4662-91f2-b7ef715a459f.json b/mobile-attack/relationship/relationship--91a4924f-2519-4662-91f2-b7ef715a459f.json
deleted file mode 100644
index 4572ce11c5..0000000000
--- a/mobile-attack/relationship/relationship--91a4924f-2519-4662-91f2-b7ef715a459f.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7b5df2b8-fb67-476a-aa0b-158eb5afb381",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--91a4924f-2519-4662-91f2-b7ef715a459f",
- "created": "2023-03-20T18:59:55.756Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Samsung Knox Mobile Threat Defense",
- "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
- "url": "https://partner.samsungknox.com/mtd"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:12.427Z",
- "description": "Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json b/mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json
index 0a949b92b6..b8f362d355 100644
--- a/mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json
+++ b/mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1cd7fab6-7f83-4dd8-b464-5eb7ae8e1c43",
+ "id": "bundle--25ca7caa-e17a-47b6-a1e5-29847319b5a3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json b/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json
index 6578d29d5e..07089e2764 100644
--- a/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json
+++ b/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8ecdd808-557f-4dca-845d-fd3b9b4eddb7",
+ "id": "bundle--ffafb6da-7a89-414c-86e6-190672aee4a0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json b/mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json
index 317a1f46d0..88c92b6f4e 100644
--- a/mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json
+++ b/mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--647756d9-f223-4749-8c60-46620ba40c5f",
+ "id": "bundle--ce2a9c7f-4af9-4c4d-bf22-2b023a9a8c68",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--920be05e-3d07-4e69-b28d-d8669cf43fd7.json b/mobile-attack/relationship/relationship--920be05e-3d07-4e69-b28d-d8669cf43fd7.json
new file mode 100644
index 0000000000..a30880c674
--- /dev/null
+++ b/mobile-attack/relationship/relationship--920be05e-3d07-4e69-b28d-d8669cf43fd7.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--eb2798ee-fbc9-48c0-a3ae-d7ffed3ecdb8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--920be05e-3d07-4e69-b28d-d8669cf43fd7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5",
+ "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json b/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json
index c47edcd038..dc7cc95efd 100644
--- a/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json
+++ b/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f75f2c80-6771-4c33-81d5-ff3de67e24c5",
+ "id": "bundle--a96c95e6-f4e1-4dbe-b849-29ecfbc071df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json b/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json
index 0bbbb50722..0deb79b88e 100644
--- a/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json
+++ b/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b1eb2903-c875-4bb2-9916-26f798ca8993",
+ "id": "bundle--ffa67783-ad84-4832-b5a0-30ca3663dd46",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json b/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json
index 8c4d00a619..194e62cdb8 100644
--- a/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json
+++ b/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cb9b29ea-97d7-450b-9fc2-93ec7b5d74ea",
+ "id": "bundle--5b3c854a-59b9-4c62-aa17-506421a48204",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json b/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json
index 585fac00a0..17d94ded8e 100644
--- a/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json
+++ b/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--59b9d36b-fbcc-4b7c-a0c2-e8da360b9e50",
+ "id": "bundle--10ccb769-de1b-45d3-9e2b-95024d45fd34",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json b/mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json
index c22b5d75fa..d56ab1b9da 100644
--- a/mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json
+++ b/mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6d6ce68-9ed1-4f39-8b44-1140e1b9939e",
+ "id": "bundle--4e860dcd-b712-4c30-ada2-7394c39fa3d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e.json b/mobile-attack/relationship/relationship--930c3a54-e728-41e8-8f5b-6dd3408de343.json
similarity index 52%
rename from mobile-attack/relationship/relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e.json
rename to mobile-attack/relationship/relationship--930c3a54-e728-41e8-8f5b-6dd3408de343.json
index 2a13c77f6b..3f6328de37 100644
--- a/mobile-attack/relationship/relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e.json
+++ b/mobile-attack/relationship/relationship--930c3a54-e728-41e8-8f5b-6dd3408de343.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--f49cfd94-1675-4cad-b7d9-56114928c3a5",
+ "id": "bundle--26a74107-173c-4b5f-a8e8-c924d21f79d8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e",
- "created": "2023-12-05T22:15:36.939Z",
+ "id": "relationship--930c3a54-e728-41e8-8f5b-6dd3408de343",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:40.639Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a",
"target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json b/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json
index 15718970be..565a86be44 100644
--- a/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json
+++ b/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8116b2f3-367b-4357-9630-6b01dde76d87",
+ "id": "bundle--bbff5197-5920-4c45-b3c1-150c6f0ee304",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json b/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json
index 8e9e725572..60a344480b 100644
--- a/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json
+++ b/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c28e617-1afc-4e67-9660-11c01660ea5b",
+ "id": "bundle--dca3343c-00de-4b3c-b6b1-2293b84f3a05",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json b/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json
index 56ecd5bd7b..85de8bde15 100644
--- a/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json
+++ b/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fb10e91f-d348-49c5-b43f-f9430f3a37d6",
+ "id": "bundle--d737d85e-57ec-4d00-84de-1f327834a698",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json b/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json
index 8477f6e41b..e32bea6029 100644
--- a/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json
+++ b/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9f420a57-2722-457c-b89b-d1fbbdd00950",
+ "id": "bundle--9fd5a55c-d613-41d8-b67e-0331a5069b75",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json b/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json
index 3bb39bfed8..bc8e6faa36 100644
--- a/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json
+++ b/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f639c244-6fe6-43cd-9be7-711771303084",
+ "id": "bundle--3db2ae29-fa06-4edb-b4de-3176bc98e57a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json b/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json
index a944a6dc45..407aab16a9 100644
--- a/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json
+++ b/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--65dc4fe1-a20c-4682-8d5c-1e310bd3656e",
+ "id": "bundle--d62976ce-12ac-4cec-a976-4400363de3ab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json b/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json
index 69f83daf1c..a383c4a2f7 100644
--- a/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json
+++ b/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--713e0138-84e7-434e-95f6-2e81c7d7d6ae",
+ "id": "bundle--b28114a1-54a5-4c40-b8b5-72e01ba8f8d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json b/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json
index a00fadca05..a4112faa93 100644
--- a/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json
+++ b/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--960f1b87-a17e-4b9a-bfc0-270364074389",
+ "id": "bundle--72023579-283d-480d-8cec-004b8202dc3e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json b/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json
index 8919c1c0de..bff03c08b4 100644
--- a/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json
+++ b/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--af6be2c7-83f0-40e6-854e-03897cd0ae2f",
+ "id": "bundle--e725fa8b-d749-4c97-8c9a-80d0a15f38cd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json b/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json
index c2caf5a94f..4e9bd78f8d 100644
--- a/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json
+++ b/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--32b2045a-cead-41e5-8131-02e0443a03d7",
+ "id": "bundle--fe74edb5-7202-42f5-a70d-17c3cdf312a2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json b/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json
index 9e17baaf6c..080ccc340e 100644
--- a/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json
+++ b/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c8ea55f5-d70f-4962-9587-367fa8af5762",
+ "id": "bundle--180b62fd-6e5f-47d6-9546-5bf34e2ac91c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json b/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json
index b9b1601ccf..ce8f37b725 100644
--- a/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json
+++ b/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70fb15da-ff8d-4613-a505-063e115d1f84",
+ "id": "bundle--b06f2bea-086b-48b3-8d32-2dc5fa20b166",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json b/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json
index faab132ba6..1bef89b344 100644
--- a/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json
+++ b/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--005e902e-977e-4f6b-8fb2-eb0188ab8196",
+ "id": "bundle--59221d59-8f78-424e-8a6c-3c285d5699d0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json b/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json
index db25034eb9..7dceca2f34 100644
--- a/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json
+++ b/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9ce2fbcd-b696-4e51-9fbb-60578664183c",
+ "id": "bundle--7c4a3a54-4e51-4f14-94d4-588854fc72e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62.json b/mobile-attack/relationship/relationship--947abdad-2978-420e-abb5-8c8cf30fb291.json
similarity index 51%
rename from mobile-attack/relationship/relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62.json
rename to mobile-attack/relationship/relationship--947abdad-2978-420e-abb5-8c8cf30fb291.json
index 690a0f5633..fb0dd054b0 100644
--- a/mobile-attack/relationship/relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62.json
+++ b/mobile-attack/relationship/relationship--947abdad-2978-420e-abb5-8c8cf30fb291.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--247b72a0-1c64-40fb-86be-406ea77c8b13",
+ "id": "bundle--2332c6d8-5c60-4a59-b54d-04c6ede62450",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62",
- "created": "2023-03-20T18:57:14.194Z",
+ "id": "relationship--947abdad-2978-420e-abb5-8c8cf30fb291",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:45.216Z",
- "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "source_ref": "x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3",
"target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json b/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json
index 3b532877f9..d5335f5681 100644
--- a/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json
+++ b/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e67b0f2-2eb1-49cd-aab8-27a9b96a5fbf",
+ "id": "bundle--bf0f7bc7-230f-4bae-af03-db624531c641",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json b/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json
index 68dd15fdd7..5b2023862b 100644
--- a/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json
+++ b/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--af358903-3b03-4abc-8685-2767fa33af6c",
+ "id": "bundle--ae788a2b-d98a-4719-9ced-e43238061e37",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json b/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json
index 7895b73c5a..12107b42e5 100644
--- a/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json
+++ b/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--23bd5b9f-d1c4-4073-b87a-7aca641e05c8",
+ "id": "bundle--7cc008b3-fb35-4366-8f9e-66ab75b5910a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json b/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json
index 0f347811c3..181b48bc24 100644
--- a/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json
+++ b/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--854d2674-54ec-4dbc-8b0f-75715f88b0ee",
+ "id": "bundle--7f8ee7b6-e683-4763-aff1-8f5bee7071ff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json b/mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json
index f468431480..9e894ce871 100644
--- a/mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json
+++ b/mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e9b53e3-46a4-4ce6-a150-2b9c269dd416",
+ "id": "bundle--f1066afc-eab3-474a-a3e5-afb488b279cd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9565144c-46b3-4b15-96ba-21cc0dc6d7fd.json b/mobile-attack/relationship/relationship--9565144c-46b3-4b15-96ba-21cc0dc6d7fd.json
new file mode 100644
index 0000000000..740424e728
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9565144c-46b3-4b15-96ba-21cc0dc6d7fd.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--070854a7-578d-4563-8140-8bf5b188767a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--9565144c-46b3-4b15-96ba-21cc0dc6d7fd",
+ "created": "2025-10-08T14:38:02.412Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:38:02.412Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json b/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json
index b2a41a098d..4476e34edf 100644
--- a/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json
+++ b/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b4ad9c1-95dd-49fb-95af-1eb6d89b1934",
+ "id": "bundle--9c4b7599-1efa-425e-810b-c3de6a06a24c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json b/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json
index 86b309f61d..6d49490a89 100644
--- a/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json
+++ b/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3cd79acd-a590-4064-8715-3d6436d633e8",
+ "id": "bundle--cd1ecc98-8839-45b2-b869-225b956d67a5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json b/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json
index 15a9d53f4d..a1c1825b97 100644
--- a/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json
+++ b/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9df63d85-7f8c-4368-9652-ad246bc99c5b",
+ "id": "bundle--f06e2f07-277e-4a6d-9708-03c2b186181c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json b/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json
index 2da1e01182..a6671c12c3 100644
--- a/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json
+++ b/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e5e0d082-e7db-40df-96ef-c25dbf15c777",
+ "id": "bundle--6ea5a93d-a263-42c9-9525-bfb0bc0bf712",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json b/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json
index 3b4c818331..cb2b2debb8 100644
--- a/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json
+++ b/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--601785ff-35da-42ac-8ab8-5d4f0dac15ac",
+ "id": "bundle--4e3d11cd-2187-4a24-91ff-a60ba3c27a88",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json b/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json
index 1bcd655948..5f4c42d557 100644
--- a/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json
+++ b/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--acf280ff-b185-4c08-b195-25024444520a",
+ "id": "bundle--cf3bba19-00fa-4a4c-8c38-a887a1b4013b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json b/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json
index 70a594bafe..56919dc0fb 100644
--- a/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json
+++ b/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8de15f6a-e184-4239-a3f3-56be82c0e882",
+ "id": "bundle--318e517f-d488-45ca-ba26-624a5d343cb8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json b/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json
index 3ab0f61e14..68ade2be01 100644
--- a/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json
+++ b/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--154695aa-afb8-494d-a277-33db4b5fe1a6",
+ "id": "bundle--dd3d0eb6-9787-4fe4-90c3-29f8124bd1de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json b/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json
index 5c8596bd2f..1eb91c762b 100644
--- a/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json
+++ b/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d29a38be-b466-42f3-b94a-fcd79474692d",
+ "id": "bundle--35583588-5ed3-4b69-8c91-213ead64b226",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json b/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json
index 897c565775..ce57c348ca 100644
--- a/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json
+++ b/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3f346749-f1a0-4fd0-b21a-fb38d58c414d",
+ "id": "bundle--9dbafc70-ec3a-4940-8ebd-4a97e9741083",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json b/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json
index 4c5f4357ad..0c237b767b 100644
--- a/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json
+++ b/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--31275a6b-865e-4fa0-bc82-a108f5b24d04",
+ "id": "bundle--f7cef7dc-3aca-4830-8004-0880a2503819",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--97408547-bacd-4308-a8be-556e9ff04951.json b/mobile-attack/relationship/relationship--97408547-bacd-4308-a8be-556e9ff04951.json
deleted file mode 100644
index 2c72922a9d..0000000000
--- a/mobile-attack/relationship/relationship--97408547-bacd-4308-a8be-556e9ff04951.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--d1c6900f-c1c6-4a8a-8c44-cafad3060cc4",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--97408547-bacd-4308-a8be-556e9ff04951",
- "created": "2023-03-20T18:55:23.628Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:20.364Z",
- "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json b/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json
index 986c6dd295..8b31ea6478 100644
--- a/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json
+++ b/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--124eb639-e9de-4233-afb9-a769055b3dbc",
+ "id": "bundle--c5502bd3-1d86-4861-9011-671656d1b272",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--974e07a2-1156-451e-b4f6-f9e77352fece.json b/mobile-attack/relationship/relationship--974e07a2-1156-451e-b4f6-f9e77352fece.json
new file mode 100644
index 0000000000..fe629a2230
--- /dev/null
+++ b/mobile-attack/relationship/relationship--974e07a2-1156-451e-b4f6-f9e77352fece.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--8c189573-876b-4d78-84d1-c64b503432cb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--974e07a2-1156-451e-b4f6-f9e77352fece",
+ "created": "2025-10-08T14:42:56.875Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:42:56.875Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has uploaded collected data to a Secure File Transfer Protocol (SFTP) server.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json b/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json
index 761f9a9775..4b721229a0 100644
--- a/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json
+++ b/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf06dc4e-fb9d-44fb-b22a-790468e89aa8",
+ "id": "bundle--eca72fff-868a-4c74-94fa-752a095bde25",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--97ecb268-d1cd-48b2-a50e-9d7eac38602b.json b/mobile-attack/relationship/relationship--97ecb268-d1cd-48b2-a50e-9d7eac38602b.json
new file mode 100644
index 0000000000..223f432e63
--- /dev/null
+++ b/mobile-attack/relationship/relationship--97ecb268-d1cd-48b2-a50e-9d7eac38602b.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--d63a0ed1-066d-4b0a-a6a7-9e6bf48cb3fe",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--97ecb268-d1cd-48b2-a50e-9d7eac38602b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f",
+ "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json b/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json
index 6a05a63350..4d382ef9ae 100644
--- a/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json
+++ b/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b00d3f2e-5ba5-4d1e-97fc-5d89e83bcffa",
+ "id": "bundle--e5927375-30f9-4b9d-890c-b8c2cdc5a027",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json b/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json
index 7867b30baa..0dd2f13039 100644
--- a/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json
+++ b/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--34e55944-2ff3-4c49-8e0b-4840bd486aa9",
+ "id": "bundle--4a2fb035-1f2e-4669-bb99-242c0caadc90",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json b/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json
index 0c2c4ea41a..32eca34187 100644
--- a/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json
+++ b/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cbfd4c2f-e656-4f5b-b4b1-ec57ac4089c1",
+ "id": "bundle--b5441859-7a51-400a-acb7-b7ce7da6d9b4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json b/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json
index cf20850477..582b76edf7 100644
--- a/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json
+++ b/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f05dda68-dead-4d48-aabf-64b66555149c",
+ "id": "bundle--f7d6f46e-d291-4dca-b9da-863513611892",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e928c0ce-2b98-4af5-a990-f690f4306681.json b/mobile-attack/relationship/relationship--982ca7e3-e5bd-4b06-8cf9-54435ef74f52.json
similarity index 51%
rename from mobile-attack/relationship/relationship--e928c0ce-2b98-4af5-a990-f690f4306681.json
rename to mobile-attack/relationship/relationship--982ca7e3-e5bd-4b06-8cf9-54435ef74f52.json
index cdf203ed24..d74d788192 100644
--- a/mobile-attack/relationship/relationship--e928c0ce-2b98-4af5-a990-f690f4306681.json
+++ b/mobile-attack/relationship/relationship--982ca7e3-e5bd-4b06-8cf9-54435ef74f52.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--fde15d3a-7b21-4d03-9692-29f90bc01e5f",
+ "id": "bundle--cfd92beb-d6b9-4049-86fe-ad16b45dd0f4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--e928c0ce-2b98-4af5-a990-f690f4306681",
- "created": "2023-03-20T18:43:46.070Z",
+ "id": "relationship--982ca7e3-e5bd-4b06-8cf9-54435ef74f52",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:17.470Z",
- "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb",
"target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json b/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json
index 39a32874c6..6ebe427e8a 100644
--- a/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json
+++ b/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c7e9cab1-04a5-4d9b-b1bb-a486012f3456",
+ "id": "bundle--49f44512-96c4-4415-9a1f-cb295e13eaac",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json b/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json
index d7649f8157..aea9736c78 100644
--- a/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json
+++ b/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8486ae84-d740-41a5-aa49-5e31d2303fd5",
+ "id": "bundle--5a849a86-ff80-4934-98e9-e4b132cb8d7f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json b/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json
index f8fdf1ffbd..db91098f77 100644
--- a/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json
+++ b/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13832387-9346-4e8c-9e43-79bd91406bda",
+ "id": "bundle--6f05acca-76d5-4182-ae85-2bda19d6268a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json b/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json
index cb52105e0e..e9ec5c10e4 100644
--- a/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json
+++ b/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2eb4d77-6c5e-4b63-a7fa-a59e1417586c",
+ "id": "bundle--2fe02d53-0cd6-47f1-9ca1-63b00eaf2ee7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json b/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json
index 6cb8f466d7..8e7f297d4d 100644
--- a/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json
+++ b/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f04e9b99-c00d-41e7-9077-5ac2664ac3f9",
+ "id": "bundle--29cdf8fa-7634-4e10-ab61-a0930023582d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json b/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json
index a916f91eef..8d53ebbbf5 100644
--- a/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json
+++ b/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--362db1c6-6b03-4922-8ac3-8eb801c8690e",
+ "id": "bundle--6489cb57-9c50-46d6-b158-169c28f03682",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json b/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json
index e63c808b2a..adaae878c6 100644
--- a/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json
+++ b/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9bd4a4c7-05c2-4039-ac03-2a46471d6cb3",
+ "id": "bundle--8b38463b-fa9b-494e-bf7a-3cc529496f29",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json b/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json
index 89202855c5..f5165ab62f 100644
--- a/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json
+++ b/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1d6886aa-0da1-4ea0-9439-fd3e39b4898b",
+ "id": "bundle--66ad2073-c3e3-4ad8-9b3f-57a31dd3d302",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f.json b/mobile-attack/relationship/relationship--98f16b87-2caf-48cc-a6fc-41554ed8bf9d.json
similarity index 52%
rename from mobile-attack/relationship/relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f.json
rename to mobile-attack/relationship/relationship--98f16b87-2caf-48cc-a6fc-41554ed8bf9d.json
index bafebc68f2..32861f5b3f 100644
--- a/mobile-attack/relationship/relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f.json
+++ b/mobile-attack/relationship/relationship--98f16b87-2caf-48cc-a6fc-41554ed8bf9d.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--46ef291d-8520-4c3c-be57-df6248cc3eed",
+ "id": "bundle--2662786a-3fa3-48a4-b348-75fad4deb67d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f",
- "created": "2023-03-20T18:43:14.051Z",
+ "id": "relationship--98f16b87-2caf-48cc-a6fc-41554ed8bf9d",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:59.093Z",
- "description": "The user can see a list of applications that can use accessibility services in the device settings.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070",
"target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98fb2884-c912-42ff-9c87-4fbabfa70115.json b/mobile-attack/relationship/relationship--98fb2884-c912-42ff-9c87-4fbabfa70115.json
deleted file mode 100644
index a073f51e56..0000000000
--- a/mobile-attack/relationship/relationship--98fb2884-c912-42ff-9c87-4fbabfa70115.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--d93111c0-4ef9-4a45-94d3-2a3f1896217c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--98fb2884-c912-42ff-9c87-4fbabfa70115",
- "created": "2023-08-08T16:14:01.661Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:23.460Z",
- "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json b/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json
index 41042917c3..06f607b3df 100644
--- a/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json
+++ b/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b040fbc6-ff48-47f6-9e0e-5a6883df0b32",
+ "id": "bundle--00f7fee5-f727-4c2a-8997-f34c04472f5d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json b/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json
index b0ae6d0bf0..339de9a640 100644
--- a/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json
+++ b/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6595e8b2-dfa0-4580-933d-535f5171c70f",
+ "id": "bundle--4a3ced4e-17e2-4a8a-bce9-5e999c5546cf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json b/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json
index 3325c92555..303dddf6a1 100644
--- a/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json
+++ b/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c1c3e38b-0eb7-4592-a835-b1abd2f86f8b",
+ "id": "bundle--dc9ff781-7ae0-47c0-8067-9ebaa745b867",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3db58541-3870-424d-ad74-f2b84ff87abb.json b/mobile-attack/relationship/relationship--998f03cf-7dbe-45b4-9103-a26d5b0383c7.json
similarity index 53%
rename from mobile-attack/relationship/relationship--3db58541-3870-424d-ad74-f2b84ff87abb.json
rename to mobile-attack/relationship/relationship--998f03cf-7dbe-45b4-9103-a26d5b0383c7.json
index 35dcfb278b..4e71f30e14 100644
--- a/mobile-attack/relationship/relationship--3db58541-3870-424d-ad74-f2b84ff87abb.json
+++ b/mobile-attack/relationship/relationship--998f03cf-7dbe-45b4-9103-a26d5b0383c7.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--568b7b24-5d80-4660-b327-33407e6e05ae",
+ "id": "bundle--e1d9b7fd-6cd0-45fa-8396-f29470684bff",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--3db58541-3870-424d-ad74-f2b84ff87abb",
- "created": "2023-07-14T19:06:42.839Z",
+ "id": "relationship--998f03cf-7dbe-45b4-9103-a26d5b0383c7",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:08.492Z",
- "description": "Unexpected behavior from an application could be an indicator of masquerading.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "source_ref": "x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203",
"target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json b/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json
index 2630045d12..ff7c0fd896 100644
--- a/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json
+++ b/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d0f0a90f-596d-449b-82e8-4bbb27d2f4be",
+ "id": "bundle--acdbcbaa-f1f8-4f4d-8782-8d5133ba0183",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json b/mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json
index 69fb5f644a..cd170db570 100644
--- a/mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json
+++ b/mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f97f8762-1a24-4b73-984f-37eef732bcef",
+ "id": "bundle--b7d98116-601a-43a4-af3a-430627fa5ebc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json b/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json
index d8a7d4eaf7..2ad67c1482 100644
--- a/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json
+++ b/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94ba81fc-40e6-4338-8999-340129d27e94",
+ "id": "bundle--168c207e-2f31-4438-b095-4cdc89e84e2d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json b/mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json
index da4c2a1740..f6312ec5b4 100644
--- a/mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json
+++ b/mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab6eee6a-0a85-4880-a729-be49c9c7577c",
+ "id": "bundle--4cacf2f7-2249-4b83-8332-850fd776da9f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json b/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json
index a357d8d402..1c9ba80bb3 100644
--- a/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json
+++ b/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e19c7a2-3fca-4884-913a-90a0642b84ac",
+ "id": "bundle--c8c35e34-10dd-4b87-9687-67666209941c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json b/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json
index 4cfe374bc6..6705612d97 100644
--- a/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json
+++ b/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--efb8d974-1946-4bce-806d-68c62aae003f",
+ "id": "bundle--5f81bf52-b605-4a1b-9678-db5fbcb969dd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9b8b51fb-c380-4516-b109-821f015506d4.json b/mobile-attack/relationship/relationship--9b8b51fb-c380-4516-b109-821f015506d4.json
deleted file mode 100644
index 2e985f635a..0000000000
--- a/mobile-attack/relationship/relationship--9b8b51fb-c380-4516-b109-821f015506d4.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--25ef4f7b-d40a-4b62-9bea-7fdf6f2bca64",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--9b8b51fb-c380-4516-b109-821f015506d4",
- "created": "2023-03-20T15:40:26.994Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:25.682Z",
- "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json b/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json
index 0e890ca559..1601d3e73e 100644
--- a/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json
+++ b/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e1caa1f-ec0f-4fbe-98b7-67205babd1b7",
+ "id": "bundle--eccf3008-d7a0-43e0-825c-853ca49323cd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d.json b/mobile-attack/relationship/relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d.json
deleted file mode 100644
index bf4b9e3f8f..0000000000
--- a/mobile-attack/relationship/relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--2d1e9baf-c952-4427-a6f7-17754c98d634",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d",
- "created": "2025-03-14T17:58:40.269Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:26.080Z",
- "description": "Application vetting services can look for applications that request permissions to Accessibility services or application overlay. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json b/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json
index ed18235e9e..944a108847 100644
--- a/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json
+++ b/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dd19c916-82f7-40ed-b9cd-901def0f153e",
+ "id": "bundle--93587eef-3378-442d-b295-998e87eb39c4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json b/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json
index 8427a810b7..cc3be1a8f1 100644
--- a/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json
+++ b/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f485da29-bf00-4e72-90dc-f9a37cb57a13",
+ "id": "bundle--54146d95-0e9d-4c45-8733-2508e2b3fb38",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json b/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json
index c557249518..afa1057089 100644
--- a/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json
+++ b/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da91b5e8-26c8-4a1a-b840-62d85793e6a9",
+ "id": "bundle--65736975-9a76-4277-9566-fa80c04e19c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json b/mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json
index 9c01f1da85..76d99851e4 100644
--- a/mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json
+++ b/mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--716ad05c-5536-4186-ad89-9eab28afbdf0",
+ "id": "bundle--ffc80a90-d373-44e2-91ab-4112db51cafe",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json b/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json
index 1068bba9ec..ee4246e082 100644
--- a/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json
+++ b/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7bb55ae6-f446-4e2d-b819-9398a7bd8d6c",
+ "id": "bundle--8c7e75b7-86b9-409c-8bcb-db52996c9895",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json b/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json
index 109e65b85f..b04b9ec5a2 100644
--- a/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json
+++ b/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3408e13b-7a84-4a42-ad66-d45c36d814f4",
+ "id": "bundle--8cdb145e-b4e9-428e-ade9-49f536b752a7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json b/mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json
index ded565949d..718c37b45c 100644
--- a/mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json
+++ b/mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b41fa2f4-8066-49d4-881a-84bb45f6a7f0",
+ "id": "bundle--4a5fe31b-959a-4dfc-896c-092d00075d9f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json b/mobile-attack/relationship/relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json
deleted file mode 100644
index 6c082941c9..0000000000
--- a/mobile-attack/relationship/relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7414773c-36f3-489c-afa0-9c21b8269890",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2",
- "created": "2023-03-20T18:50:32.580Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:27.672Z",
- "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e.json b/mobile-attack/relationship/relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e.json
deleted file mode 100644
index 56918a0830..0000000000
--- a/mobile-attack/relationship/relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--be547052-315d-4f23-9555-f70472b22ed8",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e",
- "created": "2023-03-20T18:52:52.011Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:27.872Z",
- "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json b/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json
index 5b641772e0..f5edf17316 100644
--- a/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json
+++ b/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--983bbe1c-9329-4c92-8759-c44f08e9d30d",
+ "id": "bundle--678ea4ff-072c-4960-bc84-7780eb3766f9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json b/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json
index 05479d85c8..ceaa46bbb5 100644
--- a/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json
+++ b/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3c0025a7-c282-4ead-8e9b-e0c0b9ae51be",
+ "id": "bundle--6313112d-406f-46a0-9372-a2b7f4d11a98",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json b/mobile-attack/relationship/relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json
deleted file mode 100644
index bcf4eed491..0000000000
--- a/mobile-attack/relationship/relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--ac4fe207-d139-44f2-beee-476f98af6b26",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7",
- "created": "2023-03-20T18:48:56.995Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:28.468Z",
- "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json b/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json
index 1e48eadedb..82ee9360e5 100644
--- a/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json
+++ b/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab2165c3-3f34-4731-9ce9-a9535a4e41e9",
+ "id": "bundle--058129db-1a58-43b5-aab3-bd83385a945d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json b/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json
index ef2d33a956..f817fc7ef2 100644
--- a/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json
+++ b/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--950ae5f2-af55-4991-b380-5a5b3f3f8b92",
+ "id": "bundle--bcf6ceac-19cb-4b12-8183-06fdc208249f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json b/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json
index f1848a3436..06103b5517 100644
--- a/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json
+++ b/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b25e3a03-8192-48d6-b765-fec0bd602630",
+ "id": "bundle--f9ed5042-5a1b-4d89-86b0-ecd89ebc250c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json b/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json
index fe883a56f8..8e10d11c8e 100644
--- a/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json
+++ b/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2b2fb1fe-f03b-430b-989a-db6efc7c129c",
+ "id": "bundle--68b2338e-fdfb-4015-8c81-80a08bd2d3f0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json b/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json
index 5a4346567c..ba19e98bf2 100644
--- a/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json
+++ b/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--04d87762-09d5-4264-b75e-c9cc7964c232",
+ "id": "bundle--144f6e71-edcb-4bb8-82f0-44f01ff8753a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json b/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json
index 4add29f92b..a4f09f5e30 100644
--- a/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json
+++ b/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--227dcc41-fdbc-4682-8e79-203a76360021",
+ "id": "bundle--e4942700-ac59-4459-87d0-86ec54095d19",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json b/mobile-attack/relationship/relationship--9e77cf7d-41f2-41da-8bc3-491083a11d80.json
similarity index 52%
rename from mobile-attack/relationship/relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json
rename to mobile-attack/relationship/relationship--9e77cf7d-41f2-41da-8bc3-491083a11d80.json
index ce41b3a728..f23544f1e2 100644
--- a/mobile-attack/relationship/relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json
+++ b/mobile-attack/relationship/relationship--9e77cf7d-41f2-41da-8bc3-491083a11d80.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--cb11a05a-70e6-4188-a57b-cc8164a30a04",
+ "id": "bundle--c031b5ce-e8dc-4bd6-b0a8-a1520250375c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa",
- "created": "2023-08-07T17:12:44.013Z",
+ "id": "relationship--9e77cf7d-41f2-41da-8bc3-491083a11d80",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:48.434Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9e95ef68-0650-49eb-888f-47c211481be9.json b/mobile-attack/relationship/relationship--9e95ef68-0650-49eb-888f-47c211481be9.json
deleted file mode 100644
index f2760b87e6..0000000000
--- a/mobile-attack/relationship/relationship--9e95ef68-0650-49eb-888f-47c211481be9.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--a1c55b51-b927-4b22-90c4-1725d3b94b76",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--9e95ef68-0650-49eb-888f-47c211481be9",
- "created": "2023-03-20T18:51:40.217Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:29.844Z",
- "description": "Application vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9f617f18-5b84-4fcd-a7e3-0e0d67a86192.json b/mobile-attack/relationship/relationship--9f617f18-5b84-4fcd-a7e3-0e0d67a86192.json
new file mode 100644
index 0000000000..4fb56975fa
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9f617f18-5b84-4fcd-a7e3-0e0d67a86192.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--9bf4ab6c-050d-4a7c-ac47-db47f5bebf0b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--9f617f18-5b84-4fcd-a7e3-0e0d67a86192",
+ "created": "2025-08-29T22:02:34.795Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:02:34.795Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s current cellular network information, including the phone number and the serial number.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9f822445-67ed-41b4-ac55-a75940b5b9f6.json b/mobile-attack/relationship/relationship--9f822445-67ed-41b4-ac55-a75940b5b9f6.json
new file mode 100644
index 0000000000..4ff8364f81
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9f822445-67ed-41b4-ac55-a75940b5b9f6.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--19810c04-b96f-4844-a982-a780d2e19da2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--9f822445-67ed-41b4-ac55-a75940b5b9f6",
+ "created": "2025-08-29T22:10:06.592Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:10:06.592Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has utilized a timer to initiate a WebSocket connection.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json b/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json
index 64a655441c..cf507d99f8 100644
--- a/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json
+++ b/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6de58750-18dc-4489-a588-c0eb9494f81d",
+ "id": "bundle--5501b45a-9446-4be1-ae32-88407ba743e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json b/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json
index 958f369324..1babcc71ce 100644
--- a/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json
+++ b/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--600ea97d-2983-412b-99b9-d58e27436f8b",
+ "id": "bundle--89f2026c-0e3e-4ac0-90db-e2828ec81f3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json b/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json
index 13a07e4d6c..fa34fe5e0a 100644
--- a/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json
+++ b/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e8e7e3d3-7fe7-4642-8dc2-58403b386e22",
+ "id": "bundle--5b8949a4-dd68-4035-8281-484139b9b11b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1.json b/mobile-attack/relationship/relationship--9fabea31-9394-44a5-8641-ab5bcce07bb3.json
similarity index 53%
rename from mobile-attack/relationship/relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1.json
rename to mobile-attack/relationship/relationship--9fabea31-9394-44a5-8641-ab5bcce07bb3.json
index bf70ccdacf..37524c4ef8 100644
--- a/mobile-attack/relationship/relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1.json
+++ b/mobile-attack/relationship/relationship--9fabea31-9394-44a5-8641-ab5bcce07bb3.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--8f867112-8baa-45be-8bd0-939a613fc524",
+ "id": "bundle--e8d62f74-964f-4fe6-b38f-3bbc009588ad",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1",
- "created": "2023-08-14T16:31:37.179Z",
+ "id": "relationship--9fabea31-9394-44a5-8641-ab5bcce07bb3",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:11.920Z",
- "description": "Many properly configured firewalls may naturally block command and control traffic.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "source_ref": "x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f",
"target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json b/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json
index c17e7cb4b4..429cbd4946 100644
--- a/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json
+++ b/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0d0c850-ddfe-4697-b876-7701527c6993",
+ "id": "bundle--1fb72872-3cf1-4561-9ad5-2dccb9cfb06d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9fdc5fee-2250-4894-8333-466910023533.json b/mobile-attack/relationship/relationship--9fdc5fee-2250-4894-8333-466910023533.json
deleted file mode 100644
index 4a4164a585..0000000000
--- a/mobile-attack/relationship/relationship--9fdc5fee-2250-4894-8333-466910023533.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b9ddbd21-9fde-4bed-a14c-52446994b636",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--9fdc5fee-2250-4894-8333-466910023533",
- "created": "2024-02-20T23:42:43.674Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:30.862Z",
- "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json b/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json
index 7567addebe..f3dccb0527 100644
--- a/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json
+++ b/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aba4b756-f8e6-41fe-aac4-dbdca45ebe5b",
+ "id": "bundle--8ea4fc93-d014-4935-afcc-ea0635f00907",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json b/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json
index 763a3ffcd8..e23fdf5cdd 100644
--- a/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json
+++ b/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e6edbd8d-63a7-4b8a-bd8d-944fb089fc21",
+ "id": "bundle--c41b0e05-562b-42de-a269-8a4f979822ca",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json b/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json
index 3ff220093f..7194309023 100644
--- a/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json
+++ b/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--07993b9e-9bde-42fb-b955-410e662dbb4d",
+ "id": "bundle--cbec4fc2-d988-4995-a1fa-2c74b4803842",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json b/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json
index 692c4c92ed..c7b4b76766 100644
--- a/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json
+++ b/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--300915f4-b6e9-43cd-a081-6b5b3ee39055",
+ "id": "bundle--126a06e0-253f-4822-a6bf-c8fdc13df66a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json b/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json
index 451b19d66a..f03879884f 100644
--- a/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json
+++ b/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8a32638e-c3cc-4194-b56a-56aee4b4ea56",
+ "id": "bundle--e2353d5c-6c16-4147-bc64-4944f7f6ae82",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json b/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json
index a40bec8b07..9de983766c 100644
--- a/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json
+++ b/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--136c02cd-6867-4e01-97fc-bf9592a46a9d",
+ "id": "bundle--63485463-35b2-4893-a2d5-0d3065c49688",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json b/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json
index fafe8d3571..87794883d1 100644
--- a/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json
+++ b/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--84513a22-ecc9-4e52-902c-a9f75a03a559",
+ "id": "bundle--7d95ea50-9f8a-4b0e-b6c5-15775113abed",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json b/mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json
index 9d1555a199..59e438abea 100644
--- a/mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json
+++ b/mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--21f5b3b9-bd89-48ed-80c2-36ea8a1e3a6c",
+ "id": "bundle--90fa7691-a193-4ebb-895e-d6f8a15f0d16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json b/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json
index efa68b06a1..4ed38ba521 100644
--- a/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json
+++ b/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d98a810f-e32d-47df-be37-4e65f4c8601e",
+ "id": "bundle--23e77a27-b491-4715-a3e1-008ed9f12132",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json b/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json
index 39923bb12f..628a632f6e 100644
--- a/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json
+++ b/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a5fa6e6e-7d39-4f05-85e1-dc022faf0e76",
+ "id": "bundle--27b5eaf7-5f7a-4e5b-a0af-13a332d4ac9e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json b/mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json
index f9a49d7b35..7502109259 100644
--- a/mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json
+++ b/mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe8270bc-dcd9-40be-9ac5-1197422fa45a",
+ "id": "bundle--70205824-9f50-4e3b-b7b7-e8399e72005f",
"spec_version": "2.0",
"objects": [
{
@@ -19,14 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:33.059Z",
+ "modified": "2025-09-05T14:31:01.650Z",
"description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the call log.(Citation: threatpost AndroidSpyware 2020)",
"relationship_type": "uses",
"source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
- "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json b/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json
index fed05169b4..3de5e941b0 100644
--- a/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json
+++ b/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb7aef18-73f7-4406-8856-21c09f372a77",
+ "id": "bundle--d65bec23-a635-49fa-8324-b8712c89664d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json b/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json
index 4a771feec1..18baaea6ec 100644
--- a/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json
+++ b/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39b81143-9f58-4cb5-b4a6-e8cf32876c1c",
+ "id": "bundle--21a6aef0-85af-424c-9fbf-5865e5423c00",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json b/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json
index 2304e22fdf..bbf67c2cc1 100644
--- a/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json
+++ b/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--041a8df2-c20e-4f43-8209-063cc28728d0",
+ "id": "bundle--1fba5a40-84a5-489b-ba36-807ad2f7e3ce",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a1beac5f-7582-46b6-8e20-7d42797cc632.json b/mobile-attack/relationship/relationship--a1beac5f-7582-46b6-8e20-7d42797cc632.json
new file mode 100644
index 0000000000..5fe331ffda
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a1beac5f-7582-46b6-8e20-7d42797cc632.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--c673ea01-73e6-4ce8-9ba4-eda73b406f1b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--a1beac5f-7582-46b6-8e20-7d42797cc632",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac",
+ "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json b/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json
index be64bf134f..f6410caa15 100644
--- a/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json
+++ b/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5e7f11fa-a26e-4651-89cf-862237a4d903",
+ "id": "bundle--05b3a796-d116-4867-808e-20d74a255de5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json b/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json
index 5c309ba123..f6d5934669 100644
--- a/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json
+++ b/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0d73ed7-d516-455c-a106-f072817f8b09",
+ "id": "bundle--65b39526-0747-40af-9c5f-5c2cdaa2783f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json b/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json
index 99de513cc2..d14796f057 100644
--- a/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json
+++ b/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fb54609a-553b-48cf-b1af-17b676fb83c4",
+ "id": "bundle--d3fdb2ae-adbf-4bea-8490-a4d6768b0785",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json b/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json
index 2527727cfd..85f2296f83 100644
--- a/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json
+++ b/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--95663b6d-bf9a-41f5-97b1-6ad3201fc5b7",
+ "id": "bundle--8f7b4224-2d50-45d2-ad36-639784a09340",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json b/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json
index 55168a5576..15d9029b98 100644
--- a/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json
+++ b/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--23639746-3d6b-4ff6-a11d-23e47a67cad1",
+ "id": "bundle--dfd1bfd0-7f9a-4f0e-ba77-a9d370d7ff2f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json b/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json
index 8dc0f396b6..304e16f720 100644
--- a/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json
+++ b/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50ced026-78fe-4f1e-b06f-1b171ef90955",
+ "id": "bundle--1e1c7640-1c54-4f48-b09a-c5ccc0c1c365",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json b/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json
index c217e908b9..537a124511 100644
--- a/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json
+++ b/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94a532f2-1ff3-4bd0-aa23-6aa86964d3c0",
+ "id": "bundle--84382065-bbb3-4e89-838d-2121c3e85b20",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json b/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json
index 8d44a96d79..4aac66f71f 100644
--- a/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json
+++ b/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2351dbb9-b97d-4290-9770-4196f24fafeb",
+ "id": "bundle--921f7082-ff0e-4b56-a2b6-654576b65525",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json b/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json
index 997401f3f6..2ba1efddc7 100644
--- a/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json
+++ b/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--053838d9-8e70-4837-9aae-297437554d18",
+ "id": "bundle--e7a7ec28-aef8-4719-abc6-db5d429b0de6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json b/mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json
index ee941099d8..536c13ddfa 100644
--- a/mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json
+++ b/mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28de198f-6dfb-4633-9bd1-25a060797932",
+ "id": "bundle--dd53d354-c8e1-4a17-97ce-ded4c095f4e4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json b/mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json
index 937787c75d..dc58e44c0b 100644
--- a/mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json
+++ b/mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3a58d1d-304f-4605-a6b5-80138a5c2b97",
+ "id": "bundle--871547ee-e7b0-4694-bc0a-5f622dfa867c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a.json b/mobile-attack/relationship/relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a.json
deleted file mode 100644
index 88458890e7..0000000000
--- a/mobile-attack/relationship/relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--f7d33df4-f15d-4efe-804f-29ef704cb069",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a",
- "created": "2023-03-20T18:53:52.174Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-AppLinks",
- "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
- "url": "https://developer.android.com/training/app-links/index.html"
- },
- {
- "source_name": "IETF-OAuthNativeApps",
- "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
- "url": "https://tools.ietf.org/html/rfc8252"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:36.174Z",
- "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json b/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json
index bc8a2007ad..703fa2cfa4 100644
--- a/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json
+++ b/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4313540-a0ba-4014-8adb-a47b66fad035",
+ "id": "bundle--79c8e48b-12e0-4f61-9a7b-f80bd5b7ee17",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json b/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json
index f629abdc69..2ee55eb82b 100644
--- a/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json
+++ b/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bb01191e-592d-4cfe-876f-c5d9d2c9ec4c",
+ "id": "bundle--89b7b5c3-fd40-4725-8b1c-3e826257df2f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json b/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json
index 0dcdf8305c..5749fdf866 100644
--- a/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json
+++ b/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--05545212-8216-4854-a7e2-bf5a70e36091",
+ "id": "bundle--345061ab-4578-4e6a-b592-a1a7022a7972",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json b/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json
index 39942c9ef8..b6a23796cc 100644
--- a/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json
+++ b/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ecfc513e-f718-4e08-bd21-a004a0089b34",
+ "id": "bundle--779be3f7-41eb-4966-9c3e-d6a48c0ec7aa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json b/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json
index b8e60d580d..f4d7166653 100644
--- a/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json
+++ b/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f496114-fd25-4e02-9609-e75e5184d9b9",
+ "id": "bundle--d2e389b1-0670-49d9-b433-519dfa36ebd6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a2ec4e16-8bc8-4fbf-a71d-d6356fbfc1c5.json b/mobile-attack/relationship/relationship--a2ec4e16-8bc8-4fbf-a71d-d6356fbfc1c5.json
new file mode 100644
index 0000000000..85d1c71efc
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a2ec4e16-8bc8-4fbf-a71d-d6356fbfc1c5.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e3e91d04-ce2b-4991-8fd8-aa3dd77c568f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--a2ec4e16-8bc8-4fbf-a71d-d6356fbfc1c5",
+ "created": "2025-09-18T14:40:56.210Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:40:56.210Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has accessed the device\u2019s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.(Citation: ZimperiumGupta_RatMilad_Oct2022)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json b/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json
index af06568abc..a8b5d8eacf 100644
--- a/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json
+++ b/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d8bc7bca-7fc6-4c1d-8af6-c29ad6645f4a",
+ "id": "bundle--7c8e3f90-ac53-4e79-aafe-cdf1997aaecf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json b/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json
index 8e2509bac4..9d051e5599 100644
--- a/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json
+++ b/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3cb49469-c027-4dca-99b2-14147901e4bf",
+ "id": "bundle--0e9b7778-c4ed-4c2d-84e5-c7d19dece812",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json b/mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json
index fd9adf1de4..5d934f64bf 100644
--- a/mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json
+++ b/mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3ccc0d16-5159-49d3-ba65-c468660bd92a",
+ "id": "bundle--fb7c515a-3cdf-4d38-a795-3737a0d82993",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json b/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json
index 88dea701a1..e1c3cd1d3c 100644
--- a/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json
+++ b/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--168c0a4b-f219-4961-8bc8-a0a667ea9d94",
+ "id": "bundle--47c45411-2dba-4753-9689-d6aeb6b4e220",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json b/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json
index 8d9ae90df0..c4b0f36a08 100644
--- a/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json
+++ b/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--89ee746a-969e-4f86-a7b1-315c3000e5ca",
+ "id": "bundle--e37994cc-db3f-4b90-8041-f38df04b06e6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json b/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json
index 29dbf8fef5..d66bd2a401 100644
--- a/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json
+++ b/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a4d0f3a-3a87-4495-831e-b323e968867c",
+ "id": "bundle--691fb498-5108-4d04-9d18-60137732b252",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json b/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json
index 1a1af0be7c..dc0f6b8364 100644
--- a/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json
+++ b/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2f7c6d6f-574f-4010-9fdd-591038d42486",
+ "id": "bundle--7ccb2573-666d-4ae1-a138-57d7ed06ce68",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json b/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json
index 9a5d9b1054..7e03445858 100644
--- a/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json
+++ b/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--205dfee9-5a5c-4345-847e-3447791c558b",
+ "id": "bundle--d8555ce3-dab5-47fe-a37b-28c1eec00894",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json b/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json
index 79f2d23dd6..ad5219e08f 100644
--- a/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json
+++ b/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--46146a12-2ed3-4e99-9e3a-554b0365b55e",
+ "id": "bundle--9ef64ca3-6500-46e6-b1f4-82f6e59e293b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json b/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json
index b519ad8633..cba36e6c8d 100644
--- a/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json
+++ b/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--161cbc28-6d5c-48b5-91c5-68e9fddf30b2",
+ "id": "bundle--789e5247-8ecd-4c3d-be91-73c5ec9c4dd9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json b/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json
index 54cb570de8..f428319dc7 100644
--- a/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json
+++ b/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e7e6e63f-9e4a-47cf-a691-2c508e644026",
+ "id": "bundle--3834c0f5-5223-4e4a-b4a3-3d842c871def",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json b/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json
index b43f936c3f..0b16421d09 100644
--- a/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json
+++ b/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--539131da-89ab-4960-b2d7-b550a47872a6",
+ "id": "bundle--2de009c7-24b8-4d29-9da5-adcd8c289eab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json b/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json
index 2307496ef7..93750a51ba 100644
--- a/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json
+++ b/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--158f8f24-ee03-4556-bf2f-df4dadff403b",
+ "id": "bundle--5351e6c4-7fb2-43cf-b3e5-51090316031d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json b/mobile-attack/relationship/relationship--a501ed56-2ae3-4dde-99db-a00ced43c05a.json
similarity index 51%
rename from mobile-attack/relationship/relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json
rename to mobile-attack/relationship/relationship--a501ed56-2ae3-4dde-99db-a00ced43c05a.json
index ba0bcc9287..12e85aadbc 100644
--- a/mobile-attack/relationship/relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json
+++ b/mobile-attack/relationship/relationship--a501ed56-2ae3-4dde-99db-a00ced43c05a.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--61722464-1677-4f6f-89ce-7a5a293fdda0",
+ "id": "bundle--cc7c80c4-849d-43ac-a4af-b127fbb85b93",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2",
- "created": "2023-03-20T18:53:15.929Z",
+ "id": "relationship--a501ed56-2ae3-4dde-99db-a00ced43c05a",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:19.690Z",
- "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json b/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json
index fb44e86f10..799e93fc0a 100644
--- a/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json
+++ b/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d942ccee-4093-4032-9d04-103ceb52af63",
+ "id": "bundle--3ab0ec2a-f33b-4abe-b026-56402c996df5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json b/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json
index 15a342d746..d74fda42eb 100644
--- a/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json
+++ b/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ebe4749f-9a07-481a-a67a-fd5f8b802136",
+ "id": "bundle--a1246438-cf38-4c18-921f-e74df6356e5b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json b/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json
index 86ade0e56f..10dac19890 100644
--- a/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json
+++ b/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c38f6ef0-0e56-40d9-be99-c19a264a0b21",
+ "id": "bundle--5c7dece8-8a57-4e13-9513-edc577291f79",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a5b37f26-7629-4195-9536-12e349e5843b.json b/mobile-attack/relationship/relationship--a5b37f26-7629-4195-9536-12e349e5843b.json
deleted file mode 100644
index 4d336433e5..0000000000
--- a/mobile-attack/relationship/relationship--a5b37f26-7629-4195-9536-12e349e5843b.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--aa77c228-897f-4191-af5d-b6b38736585c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--a5b37f26-7629-4195-9536-12e349e5843b",
- "created": "2023-03-20T18:51:04.334Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:40.830Z",
- "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json b/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json
index c374028bfc..13f19582a7 100644
--- a/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json
+++ b/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0946f5a4-2534-41f5-a4c4-cc9e49d2fa30",
+ "id": "bundle--9a4a40b0-79a3-4712-9e53-9096e1e74d46",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json b/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json
index bac0c864da..b2a4cbbf4b 100644
--- a/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json
+++ b/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b8b51af0-0c9a-4907-9248-a59bdfb45395",
+ "id": "bundle--d7d1ce42-8cd4-47f7-90f3-93355cfb53de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json b/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json
index bb707c36b4..7b19021443 100644
--- a/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json
+++ b/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1518614a-0b70-484b-8cf0-88b06fdb6d10",
+ "id": "bundle--4a861b9b-94b1-44c9-8eb4-c6f3be85a783",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json b/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json
index 14f78f316f..58897a53d7 100644
--- a/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json
+++ b/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ccbe50f7-9442-4eca-a8a8-731029716ff1",
+ "id": "bundle--be3d1589-55da-44fc-9f42-04d0fbac75c9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json b/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json
index a00c5e4165..bb240ada8c 100644
--- a/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json
+++ b/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--15ceaca7-540b-4fb6-956e-73aeb6a6d5b1",
+ "id": "bundle--020ffe0f-e8e3-44b8-8324-3423942ace16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json b/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json
index 22c3eeb199..92b676f3d0 100644
--- a/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json
+++ b/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2be04b4f-f9c5-4b37-85c4-7d5a70fbbd7f",
+ "id": "bundle--aea79808-9b4c-4f41-80b5-9ae3e2c8861c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json b/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json
index 06f6154b6c..fc74a74f19 100644
--- a/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json
+++ b/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b7a7540-3a4d-4a41-b798-fc1217837aee",
+ "id": "bundle--54841c10-852b-4aa2-9cc2-2ea429070194",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json b/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json
index 453c344c47..84a9202fd7 100644
--- a/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json
+++ b/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--17186897-8952-4d46-9c11-8effae323363",
+ "id": "bundle--2e0e8322-89b5-446d-8f84-0b484e014c58",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json b/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json
index 1711bb9486..3607196586 100644
--- a/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json
+++ b/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9f8826e4-a2d3-4f2b-a4ce-13164155c223",
+ "id": "bundle--d8576f0a-61a2-4168-8a72-cc5b1de8785b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json b/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json
index 4e17402aad..3770813105 100644
--- a/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json
+++ b/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aca42bf7-0fe5-4549-8332-9c1428995601",
+ "id": "bundle--c5bc60ae-a3c2-4fcb-9f31-7129a21c3b28",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json b/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json
index 61e6ad2560..cce1ab46cd 100644
--- a/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json
+++ b/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--20e64dfb-22f4-4382-9df7-d7727501e460",
+ "id": "bundle--4d9ba69f-b135-4626-9dd7-4403ddc56eb3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a7c55178-6b02-4cae-b4fb-a664ac7d528e.json b/mobile-attack/relationship/relationship--a7c55178-6b02-4cae-b4fb-a664ac7d528e.json
new file mode 100644
index 0000000000..afb082d3b3
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a7c55178-6b02-4cae-b4fb-a664ac7d528e.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--4ce18bf4-22bc-4b05-a05f-7a53d5bbb135",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--a7c55178-6b02-4cae-b4fb-a664ac7d528e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78",
+ "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json b/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json
index 07b94fad7f..ba3af1461d 100644
--- a/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json
+++ b/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7274c1d9-9039-4880-9903-27d44c9f584f",
+ "id": "bundle--fb40202d-7888-481a-9605-4d1bc4016591",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json b/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json
index 6de29e9f33..4ada1ec765 100644
--- a/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json
+++ b/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf5c1aac-80d7-4360-9662-e08154753757",
+ "id": "bundle--8f996fba-9fb7-49a9-8bc0-2da3830236fb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json b/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json
index ba47586b01..50660ef6f3 100644
--- a/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json
+++ b/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8b4454c0-b18b-4b82-9245-7488f0c53128",
+ "id": "bundle--e1abe189-39c2-4be8-89e7-3dc0cae0f47f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json b/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json
index 8520932318..d9f4ac1238 100644
--- a/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json
+++ b/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b725929a-e6de-4a7d-acd6-402f6273b9f4",
+ "id": "bundle--823b0338-eb99-4233-8d2e-b3913d289142",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json b/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json
index 3871d0abfe..8cc2b99152 100644
--- a/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json
+++ b/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6a240aaf-8b75-4f90-81cc-b53ee43ac8c1",
+ "id": "bundle--b232cfe5-738e-444c-a70d-313b648b20f2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json b/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json
index 0260f1b149..efe5c87012 100644
--- a/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json
+++ b/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d1f362a4-9a65-41a2-a5f6-c353b2e75fc0",
+ "id": "bundle--7119bbcb-355a-4439-b3f0-3ec51e768cf1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json b/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json
index 520fcb0162..c7c9b4dab7 100644
--- a/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json
+++ b/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e5e52b57-ee01-4d83-b54b-a7dfea47e955",
+ "id": "bundle--1a8cce2d-ae24-4b83-be43-c5dd7bb2e416",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json b/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json
index bb88d1059f..6a694d4da0 100644
--- a/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json
+++ b/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--29acdd7c-88b4-4ed4-a30f-a6724b8056bb",
+ "id": "bundle--a196f492-5c80-4491-a419-4b56a7b2f7cb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json b/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json
index b5e14f4e3b..bbb9a815e2 100644
--- a/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json
+++ b/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--43937863-3f9b-4e15-a74b-92c6231a6011",
+ "id": "bundle--17cec2f7-cf1a-4650-b187-5de065f0bf27",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json b/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json
index 8163650ef0..407a9caaf5 100644
--- a/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json
+++ b/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--567b00f2-69a5-4914-a826-4f13a4e4fbda",
+ "id": "bundle--9c5b65d8-f5f4-48c3-a01c-f4246b5d2926",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json b/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json
index f730bc7930..38c2b7378b 100644
--- a/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json
+++ b/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2aeb290b-5cae-42d8-8cc7-09c00c4b6e38",
+ "id": "bundle--1abd7ac9-8e48-4489-bf14-66ea6626cb1c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json b/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json
index 49d8eb0632..159b53f2b4 100644
--- a/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json
+++ b/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0cfc89e4-4b4e-42dd-b0dd-7f86030c724a",
+ "id": "bundle--f6cca8a5-4d83-4b5e-8be7-a798b11ef7dc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json b/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json
index 7cb8f7e0a4..f3f3e49001 100644
--- a/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json
+++ b/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7f3abe4a-6fa5-4efc-b071-102f2f80c6f1",
+ "id": "bundle--5c24da82-2e54-4196-b66e-878f8ccc70bf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json b/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json
index b58cf3779e..ec9909bf88 100644
--- a/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json
+++ b/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8fa289a9-a5d2-43ed-8f98-09c10e6cfb37",
+ "id": "bundle--1d314119-bd92-4caa-a26a-6f00c8532acd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json b/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json
index 3a424cdae3..9b4499f51c 100644
--- a/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json
+++ b/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f233486d-a6ad-4bfd-a70f-41dc1856292c",
+ "id": "bundle--94ca32a8-d624-43a5-95c2-b016a2c3123a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json b/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json
index 93cc4ec5d2..a363615e97 100644
--- a/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json
+++ b/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9a2a5024-d22a-4ad6-89be-a9da04fc2806",
+ "id": "bundle--1b7def67-581c-4c90-9b0c-14a28f8d6a68",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json b/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json
index 691e79385e..d4fcfdab76 100644
--- a/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json
+++ b/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--57990528-9d11-4a14-8db6-d10e89eded92",
+ "id": "bundle--eafa472a-d088-4f44-b680-231f0ed858b7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa15a167-4c7d-4e69-8c51-5414997ac4e5.json b/mobile-attack/relationship/relationship--aa15a167-4c7d-4e69-8c51-5414997ac4e5.json
new file mode 100644
index 0000000000..94be3f726d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--aa15a167-4c7d-4e69-8c51-5414997ac4e5.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--22ac8bbb-ccda-49c9-9865-059048f211b5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--aa15a167-4c7d-4e69-8c51-5414997ac4e5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550",
+ "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json b/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json
index 41c6579c7d..616ea4b451 100644
--- a/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json
+++ b/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--19291073-68a3-4002-904e-691ece9c1ace",
+ "id": "bundle--74167963-a6e0-426e-9917-039c95661e76",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json b/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json
index c4aac3f46a..ec7979b6a5 100644
--- a/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json
+++ b/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--382aa88a-5fed-4873-9cbc-bcefe5d606e1",
+ "id": "bundle--d57343a4-b17e-4758-aeae-de7c40723f2c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json b/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json
index 08b1815060..87c88c4726 100644
--- a/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json
+++ b/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--60d45bdb-0ad1-419b-9d7d-e8a6906a1170",
+ "id": "bundle--7a9b029c-e0d6-427e-a174-3fb289e76c7e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json b/mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json
index 219424aeb1..e6562240ca 100644
--- a/mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json
+++ b/mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--82799894-02af-4fd7-aa33-e6053fdbb7b2",
+ "id": "bundle--4ceb69b4-4826-43df-a50c-b2548f74454b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json b/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json
index cb5023eec7..e555003c8e 100644
--- a/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json
+++ b/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--57129d69-3bc7-4920-8ce2-56aa2a8de9fa",
+ "id": "bundle--2ad2af55-6a3d-4ce1-9ad6-e7ac0d9808b4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json b/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json
index e4b2864bec..5013bffaaa 100644
--- a/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json
+++ b/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--efad6554-2fe9-472a-99d6-d24c07f1c9c1",
+ "id": "bundle--feabdc45-bcaf-435a-a56a-9f7371d6b57a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json b/mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json
index 8578ca4832..94a406ac1b 100644
--- a/mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json
+++ b/mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--63bf0a3e-9d28-4842-ad63-ec733cd076f2",
+ "id": "bundle--17e4a1bf-235e-4482-98c5-e9e71ada4fc0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json b/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json
index 34c940dc1f..e2589fc67f 100644
--- a/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json
+++ b/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b763b802-57a5-4cca-8a78-6f619b9d0e54",
+ "id": "bundle--293881aa-2423-4666-a2c5-60b45e57e92c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json b/mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json
index 61184c3206..8ca7d1c247 100644
--- a/mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json
+++ b/mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--71593ff3-c1da-43a6-b026-0bf560b18b53",
+ "id": "bundle--3d5b4b30-fc3d-4c3d-ac83-f1180a06d1b1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json b/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json
index 0ede60c17c..89f27ff59a 100644
--- a/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json
+++ b/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0b9c4d47-cfa7-42b1-93d8-98915125bcc5",
+ "id": "bundle--e2adc0fc-d202-4de6-ad08-0f9c7fba9f5d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json b/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json
index 25f954d8c6..9ab923d0dc 100644
--- a/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json
+++ b/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--08aff6b9-e352-4bf2-a625-6629b5ca36d5",
+ "id": "bundle--253d15d4-b653-4537-896a-44ffb2a95549",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json b/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json
index 3afdfcc794..5cd1f23063 100644
--- a/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json
+++ b/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--99367a63-4c8b-4582-ae20-5dbb00ccce93",
+ "id": "bundle--5dbd8e74-bb44-4a71-a624-4a1b0361bf90",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json b/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json
index 7ee85e1df4..ed2b0188fc 100644
--- a/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json
+++ b/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ccf64d8e-ceb4-4b02-9c84-f2d1c8fe7a35",
+ "id": "bundle--2d0364b4-b47d-4155-89b2-8e4138530ee9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json b/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json
index 7bcc7dbd30..f0ead77ed8 100644
--- a/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json
+++ b/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2a358200-ceaa-4d91-a6f6-55136d1390b0",
+ "id": "bundle--642df11c-36ce-420c-8f53-39bde393ab96",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json b/mobile-attack/relationship/relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json
deleted file mode 100644
index 3695459792..0000000000
--- a/mobile-attack/relationship/relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--aab868af-1b54-4659-9d79-d3794e408344",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783",
- "created": "2023-03-20T18:55:51.580Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:50.159Z",
- "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json b/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json
index d468d8bf4a..7e320e45c3 100644
--- a/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json
+++ b/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28f44e44-da07-4bb9-806b-3d406611be1d",
+ "id": "bundle--c4e3e5c1-4aeb-4fd1-a785-206ca7d83e6b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json b/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json
index 2486026c40..896235e42b 100644
--- a/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json
+++ b/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cb43b657-bd04-4299-a00a-5c7083db4171",
+ "id": "bundle--e3505965-49ce-4294-8b53-8d152da16ed3",
"spec_version": "2.0",
"objects": [
{
@@ -19,8 +19,8 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:50.570Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download new code at runtime.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-07-07T22:04:27.524Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to download new code at runtime.(Citation: cyble_chameleon_0423)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
diff --git a/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json b/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json
index c75b807380..4fc11445a1 100644
--- a/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json
+++ b/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c7b836a7-28bd-4e46-b8c4-e29131341f7c",
+ "id": "bundle--378eb488-9058-4ef4-b74c-10c0412a8003",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json b/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json
index f70cf59176..a111be3c6b 100644
--- a/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json
+++ b/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0c2be737-9694-4bd2-909c-e7ffdb10c948",
+ "id": "bundle--c04c62cc-6aeb-4ffd-b57b-fc81ace5db23",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ad1cd55e-10a7-4895-bc76-160e2de319cf.json b/mobile-attack/relationship/relationship--ad1cd55e-10a7-4895-bc76-160e2de319cf.json
new file mode 100644
index 0000000000..1af0dbc1eb
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ad1cd55e-10a7-4895-bc76-160e2de319cf.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--5c569373-3fdc-4fb6-bb3a-7dab6d87fe7a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--ad1cd55e-10a7-4895-bc76-160e2de319cf",
+ "created": "2025-10-08T14:40:37.217Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:40:37.217Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected files of interest on the device, including WhatsApp files.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json b/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json
index eb096e978c..d8ae7b2ff8 100644
--- a/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json
+++ b/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c5d0208b-a9b1-44a1-9cdb-f1a0a5b5de78",
+ "id": "bundle--e23ae4b6-0f2c-48bb-b9a6-50c82a906b9c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json b/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json
index 0e1bc68edd..6bf36d6f51 100644
--- a/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json
+++ b/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13ff6322-ab42-4724-8f10-092f1956746f",
+ "id": "bundle--a9055b5e-4831-40df-85de-c465325cf853",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json b/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json
index 89567446f5..e3d77db3c0 100644
--- a/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json
+++ b/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b62d8365-c2ba-4478-b1d2-d424ba3e7c24",
+ "id": "bundle--0682c0ae-9447-479b-ac29-3a77370ba928",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json b/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json
index 06b3879fc8..8846d812d0 100644
--- a/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json
+++ b/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7ddbe51c-337d-4c4f-bde9-3e8b7b72e65f",
+ "id": "bundle--d13e225a-52c3-464e-835b-91984ee2ec43",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json b/mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json
index 69e7807456..ac25db6528 100644
--- a/mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json
+++ b/mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5f99f16c-25bb-47c2-aeed-f27105e71d77",
+ "id": "bundle--eab77ef5-0cda-415e-a1fc-420f56b2dabd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json b/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json
index e4d017a4e3..8d9d04fc95 100644
--- a/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json
+++ b/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e8ebdf47-1472-4813-a534-7075eb457e04",
+ "id": "bundle--44fa2592-312c-4c97-a82f-280300d21ae4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ade33114-0204-49af-95c0-988e39e68989.json b/mobile-attack/relationship/relationship--ade33114-0204-49af-95c0-988e39e68989.json
new file mode 100644
index 0000000000..58e7af3e33
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ade33114-0204-49af-95c0-988e39e68989.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--8290c5b7-b344-40fa-9e74-318e4380b66a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--ade33114-0204-49af-95c0-988e39e68989",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22",
+ "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json b/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json
index bf1f359383..e370d3e23c 100644
--- a/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json
+++ b/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4dd64f44-56b6-4793-8374-e48b35be93d9",
+ "id": "bundle--1f2e8da3-c516-44cf-9612-22bd08efec10",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025.json b/mobile-attack/relationship/relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025.json
deleted file mode 100644
index fd7c0ca231..0000000000
--- a/mobile-attack/relationship/relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--9db33265-9d2a-4f24-878c-9109c50288d8",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025",
- "created": "2024-03-29T15:07:01.237Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:52.568Z",
- "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
- "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json b/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json
index 9f1762582e..9650b85b4c 100644
--- a/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json
+++ b/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--86e457bc-4a8a-4a09-866d-9de3355d66ba",
+ "id": "bundle--eb64149e-d33b-4658-9e04-196b1f6c4d3c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json b/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json
index 82b3d8bec8..9ef7aa35c4 100644
--- a/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json
+++ b/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d7903b7-079e-46d0-b982-195a19f777cd",
+ "id": "bundle--60e78144-d60d-417b-9e34-1131cea2104e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--aed2ecd1-999d-485e-a43c-a1b2965de981.json b/mobile-attack/relationship/relationship--aed2ecd1-999d-485e-a43c-a1b2965de981.json
new file mode 100644
index 0000000000..d86907cd51
--- /dev/null
+++ b/mobile-attack/relationship/relationship--aed2ecd1-999d-485e-a43c-a1b2965de981.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--91c9faaf-b944-453d-9408-6a4fbc1e55a2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--aed2ecd1-999d-485e-a43c-a1b2965de981",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa.json b/mobile-attack/relationship/relationship--aed8e8c8-ffea-4134-9951-bdc5bfccbb03.json
similarity index 53%
rename from mobile-attack/relationship/relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa.json
rename to mobile-attack/relationship/relationship--aed8e8c8-ffea-4134-9951-bdc5bfccbb03.json
index b588324b93..7bee7d7328 100644
--- a/mobile-attack/relationship/relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa.json
+++ b/mobile-attack/relationship/relationship--aed8e8c8-ffea-4134-9951-bdc5bfccbb03.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--a10371ff-f4df-4aca-9e78-4b518f0c7f30",
+ "id": "bundle--77214792-0bcc-44bd-b7d8-5d0ec1a6831e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa",
- "created": "2023-07-14T19:11:45.176Z",
+ "id": "relationship--aed8e8c8-ffea-4134-9951-bdc5bfccbb03",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:20.122Z",
- "description": "Unexpected behavior from an application could be an indicator of masquerading.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "source_ref": "x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e",
"target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json b/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json
index 5be5d50a3d..df33fccbf7 100644
--- a/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json
+++ b/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9bfdb194-3e13-4125-9455-1f49a9980179",
+ "id": "bundle--e4f7413a-f0a0-4324-bdee-184203dde434",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--af06eaaa-161e-4913-8668-49bdd25b2eff.json b/mobile-attack/relationship/relationship--af06eaaa-161e-4913-8668-49bdd25b2eff.json
deleted file mode 100644
index 2607a3ce2e..0000000000
--- a/mobile-attack/relationship/relationship--af06eaaa-161e-4913-8668-49bdd25b2eff.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--1d8faa10-b3a5-4d43-b4d9-556e71b9611c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--af06eaaa-161e-4913-8668-49bdd25b2eff",
- "created": "2024-02-21T20:47:45.488Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:53.366Z",
- "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json b/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json
index 61a744334d..67ed8afd57 100644
--- a/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json
+++ b/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8e4e80c0-c8de-445c-a050-10b48d030799",
+ "id": "bundle--d7b17427-a9c4-4957-a29a-89c12bd20a65",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json b/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json
index f8064e3982..da088d4a0e 100644
--- a/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json
+++ b/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e04682ba-0a15-476c-90a0-4187c4cdd96c",
+ "id": "bundle--b9895094-0d30-4e12-ad2f-2c6c29f80bb4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json b/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json
index ed9df33e8c..08c9d5d12a 100644
--- a/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json
+++ b/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e0e0c9dc-5213-45fd-b024-419cf038ac50",
+ "id": "bundle--b79f75e5-3022-4ae4-8dee-3efb87305c3a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json b/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json
index ace908d17b..c8b891527b 100644
--- a/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json
+++ b/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aa9a0958-c293-4094-8171-92b82d2aebd2",
+ "id": "bundle--3b3634b2-bc00-4ab6-af6b-53cab56e410b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json b/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json
index af97d3a35c..5cdbb0b719 100644
--- a/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json
+++ b/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a85c5afa-2d79-43c2-9b17-0847157e4a1c",
+ "id": "bundle--253b20cc-ac26-4e31-9b57-3cfc116f200e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json b/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json
index 07a03610db..edc8575a42 100644
--- a/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json
+++ b/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13f6d55e-5357-4828-88e7-bdcc4e0cd7d8",
+ "id": "bundle--0eb07d3b-958a-4b42-8821-4bc414626442",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json b/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json
index 0552c533df..5382f6c473 100644
--- a/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json
+++ b/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8f93f279-c39f-4fc4-9e3a-7b00c0e51f6d",
+ "id": "bundle--2ed5e3d8-ff8a-4c62-83e6-0d5479238610",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json b/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json
index 34109676f9..179ae495dc 100644
--- a/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json
+++ b/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6663e267-cfb8-49af-8f2b-7a1727ad340d",
+ "id": "bundle--b144e335-b1ee-4b40-bef5-1d539722437e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json b/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json
index 322db52080..ac8588c931 100644
--- a/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json
+++ b/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b7251a5-ce3f-4c95-b3b5-8756d112f1d6",
+ "id": "bundle--c396e36a-3788-4fc9-9416-4448de433f21",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b0a5a5e8-3815-48eb-bceb-d24ca84417b5.json b/mobile-attack/relationship/relationship--b0a5a5e8-3815-48eb-bceb-d24ca84417b5.json
new file mode 100644
index 0000000000..8a7013659c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b0a5a5e8-3815-48eb-bceb-d24ca84417b5.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--08c8c23e-20b2-4a03-86cd-c651b4205fa0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--b0a5a5e8-3815-48eb-bceb-d24ca84417b5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json b/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json
index 4132b5bf49..3d6028683d 100644
--- a/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json
+++ b/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ec9551b2-9b60-4a99-a975-b8d6cc20a8e4",
+ "id": "bundle--bb90897e-742c-4fae-b6f5-450b4087f756",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json b/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json
index 97ee8f5226..ac898d25ca 100644
--- a/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json
+++ b/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e7b46434-a723-420e-bb3a-ca269a03b779",
+ "id": "bundle--aef0c6ad-3748-46d4-bbb5-40dcf9a6dfb0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b0d88891-f927-482e-980a-83d5512b1ae8.json b/mobile-attack/relationship/relationship--b0d88891-f927-482e-980a-83d5512b1ae8.json
new file mode 100644
index 0000000000..463e3f7f34
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b0d88891-f927-482e-980a-83d5512b1ae8.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--b708f85f-9f83-4072-89b6-e5499c314155",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--b0d88891-f927-482e-980a-83d5512b1ae8",
+ "created": "2025-08-29T22:15:24.225Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:15:24.225Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json b/mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json
index fd0e0bdd78..b7d8ed53a0 100644
--- a/mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json
+++ b/mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6ddbe531-f2cd-482a-8d5d-c02631df89fd",
+ "id": "bundle--2fe31bf7-ccd8-49d9-8f99-b1650d74cf4a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json b/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json
index 2faf88e9e7..eafb11cd88 100644
--- a/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json
+++ b/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--415a3f8c-2784-4832-a109-3cd7e5f527b0",
+ "id": "bundle--17048516-6b16-4bae-a774-412caf897334",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json b/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json
index 15ee3afa5c..e65db61053 100644
--- a/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json
+++ b/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c79bd876-8010-40e5-8719-bbc82a3f77de",
+ "id": "bundle--7d7e7a54-90be-4297-9092-08b65caaf96a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b14a1e23-e1ce-46ec-b4f2-414a13a8b6a7.json b/mobile-attack/relationship/relationship--b14a1e23-e1ce-46ec-b4f2-414a13a8b6a7.json
new file mode 100644
index 0000000000..fad073d0d6
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b14a1e23-e1ce-46ec-b4f2-414a13a8b6a7.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--a90b1e99-457f-4d42-9484-de862c508a22",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--b14a1e23-e1ce-46ec-b4f2-414a13a8b6a7",
+ "created": "2025-10-08T20:24:14.897Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T20:24:14.898Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, [Chameleon](https://attack.mitre.org/software/S1083) will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.(Citation: ThreatFabric_Chameleon_Dec2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
+ "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json b/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json
index 87ebdd6553..93f1bc0622 100644
--- a/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json
+++ b/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--96646381-5069-4bf0-bdc4-52cd5f4a528a",
+ "id": "bundle--0cc19496-2569-463d-9e66-3a1fb3002161",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json b/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json
index 9371455fcb..f6f68fb2d9 100644
--- a/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json
+++ b/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5c5f8a84-2079-4013-b0e3-f331c7a43af4",
+ "id": "bundle--f6c5616c-84db-41e2-ad21-ae4d8b6d43bd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json b/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json
index 03af02108d..faac6d0c2f 100644
--- a/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json
+++ b/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--706fc529-79ca-455c-a20c-868b03f38276",
+ "id": "bundle--eb109801-16b3-46bc-9f77-a8143604bc07",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json b/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json
index 4d0b6d4595..f9774bb42c 100644
--- a/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json
+++ b/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18c0a541-0014-4778-8f06-b6d9cde8be33",
+ "id": "bundle--e708d92e-4634-4bc4-83e0-ddf77ccaccb5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json b/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json
index 576bbbddee..9140173bfb 100644
--- a/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json
+++ b/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--293f23ee-8282-4862-9dd6-aa19c8199455",
+ "id": "bundle--568f8c6d-bb78-4cb9-91bc-55e0fdf9217a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json b/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json
index 408b1e50e4..2bf6408379 100644
--- a/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json
+++ b/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--008d0f71-4dcd-498a-9a17-35e6219de4c4",
+ "id": "bundle--4f143d24-917d-4111-9636-4afb112abc2e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json b/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json
index 28719318cd..8d81546814 100644
--- a/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json
+++ b/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cbb6564d-bfb6-44e3-ab6a-9726e936b1cc",
+ "id": "bundle--d56301fb-4626-4f9c-9142-c76248196ab6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json b/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json
index da597149b0..03a837d5b2 100644
--- a/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json
+++ b/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d7f5f47-ee68-48ff-9ecc-ce0a045e0ef9",
+ "id": "bundle--a7cb35b6-d71e-4754-83b6-c43ea469165a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json b/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json
index 748ca3be96..327415132d 100644
--- a/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json
+++ b/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8e11ab2-b3a4-48e9-a3f4-3a91cc472460",
+ "id": "bundle--e7d9927c-955b-4511-8cf6-8bfd51e0a2b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json b/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json
index 51478c0228..b82d09d778 100644
--- a/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json
+++ b/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aa534810-8f74-45f0-844e-41c449776aed",
+ "id": "bundle--f6b1263d-d903-4676-9f1b-e4215d670271",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json b/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json
index 540dbfe8cf..4f425ac18f 100644
--- a/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json
+++ b/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--96b36134-48e1-498f-954a-b354f57eb139",
+ "id": "bundle--e1b0f254-a4ce-467f-8a7a-9e18276f9093",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json b/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json
index e61d8dfef1..8dcbcc4509 100644
--- a/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json
+++ b/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--549fc2c3-5a92-4d77-9278-482cf33dbe23",
+ "id": "bundle--0c976a98-6bb6-4ef6-90c0-4d5b41908039",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json b/mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json
index ebd8fcc296..1f4ebccd64 100644
--- a/mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json
+++ b/mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cfdf0cc5-aada-4a7e-9ec3-9f77c345d2ec",
+ "id": "bundle--ee410238-b786-4812-84d9-6e5b0699f761",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json b/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json
index cb29657b47..fec505bdc9 100644
--- a/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json
+++ b/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--53344309-8fcc-44c2-8843-0bcd18eb34c2",
+ "id": "bundle--ef5d2d96-8131-46a6-a4d7-b3afb550c4f3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json b/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json
index 898623725a..cd1e2565d6 100644
--- a/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json
+++ b/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bb4097f6-92ac-48ba-a79c-b593f7933737",
+ "id": "bundle--3c9660fa-e660-4e41-b36e-59f86dc7c9ee",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json b/mobile-attack/relationship/relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json
deleted file mode 100644
index 6b5a7b91cf..0000000000
--- a/mobile-attack/relationship/relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--64325b58-8557-4e79-8874-df5d41ed4e13",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7",
- "created": "2023-03-20T15:33:34.181Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:50:59.476Z",
- "description": "System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json b/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json
index 4ad017f226..6c2d049271 100644
--- a/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json
+++ b/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--799e62d6-8573-459b-8132-40d7dc25428d",
+ "id": "bundle--3eefbdc0-e630-4e5b-8ea6-25485eb11872",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json b/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json
index 76d2f7bc28..a38ac73eb6 100644
--- a/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json
+++ b/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--081c88f9-e99b-4961-802f-3a903dd298e0",
+ "id": "bundle--83adb02a-5bba-437b-b571-4448ed693f49",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json b/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json
index 5e04c30ee8..fa188ed903 100644
--- a/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json
+++ b/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a3519b8b-c4f1-458b-8523-651b6e387911",
+ "id": "bundle--e9a78576-294b-4f48-a14f-10b63b65f41a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json b/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json
index 4342e9ab89..5e6429969c 100644
--- a/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json
+++ b/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1e0c0e1a-f9c4-4e69-9fe8-e27a4468bff1",
+ "id": "bundle--870f5da0-20b5-4e4a-8086-f515d96f6fba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json b/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json
index 2f91672637..aeb750f59f 100644
--- a/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json
+++ b/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8501e7e6-0e4e-4909-bbd5-4ab8238fba87",
+ "id": "bundle--ba096bde-fe78-41ff-b0e4-e44117d53702",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json b/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json
index 8819658090..72ff88cf7a 100644
--- a/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json
+++ b/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b512b8a5-7f76-44cb-8111-4b1a2ebdee9f",
+ "id": "bundle--960dd209-5276-4f68-8b30-4af9f1635add",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json b/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json
index b04d9489f7..d655b12365 100644
--- a/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json
+++ b/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b55e4c9-2b8b-449d-a062-8d0f06de07cf",
+ "id": "bundle--6a8216df-90de-4ce9-ac67-29a18a1526b7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json b/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json
index e7f6d3a226..29f72c1c91 100644
--- a/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json
+++ b/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f8bc5ca-a913-4d08-b98f-0f8ec02e5ab8",
+ "id": "bundle--0cbd6c5d-166d-46b0-af0a-ebb11f760b9f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json b/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json
index 0856861970..22d8aba369 100644
--- a/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json
+++ b/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5cc04fbd-6ddc-4a24-af6f-34d99ca119bb",
+ "id": "bundle--73f555ef-f940-42df-ba01-1486231617f5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json b/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json
index 2c9afad112..9c591aa5d6 100644
--- a/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json
+++ b/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df6c8b54-b9d3-421e-8a0f-4483fca6ff0c",
+ "id": "bundle--02ce2ab2-d6e7-4755-b37e-87cc6ecda971",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json b/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json
index ce98f50055..e427d929af 100644
--- a/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json
+++ b/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b99fab61-1c89-4019-b7f1-0f773de7e71d",
+ "id": "bundle--36af3dec-9bf5-4e2a-9f34-e140b699bbeb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json b/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json
index bd47892521..3ba2d2b211 100644
--- a/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json
+++ b/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--84a72bd3-8536-45e4-a430-2665467763cd",
+ "id": "bundle--0a025f09-3ebd-4e36-a0cd-3a65dd6635fc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json b/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json
index 215feceb23..cbd800091f 100644
--- a/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json
+++ b/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0ad61d7d-6277-4be9-9f6d-5ff687e9656b",
+ "id": "bundle--67b0fd85-1765-4ada-8e43-ed81c3b88ede",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json b/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json
index 62ecb9a199..d38d6d91d1 100644
--- a/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json
+++ b/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fef54d64-1e6f-4d0e-b990-27c6717f6936",
+ "id": "bundle--e8de38de-c001-4fb5-9756-dc7f5e7e2852",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json b/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json
index 25cfaa41ef..d169454a3e 100644
--- a/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json
+++ b/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d02e008-8615-4150-8954-f86e07ee8b5d",
+ "id": "bundle--74715930-7e40-4216-ab24-96f3d98bc17c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json b/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json
index 653a6c9e3f..b81c0f3810 100644
--- a/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json
+++ b/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b46e3fb4-aef3-4337-ad0e-6d77a7fcee51",
+ "id": "bundle--03a86397-579b-4585-b952-21da256f3cb7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b59b2f10-942b-455e-8166-1c9acb4b6824.json b/mobile-attack/relationship/relationship--b59b2f10-942b-455e-8166-1c9acb4b6824.json
new file mode 100644
index 0000000000..051a010e16
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b59b2f10-942b-455e-8166-1c9acb4b6824.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--be113a85-326d-43fc-b151-b47f3db26b12",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--b59b2f10-942b-455e-8166-1c9acb4b6824",
+ "created": "2025-09-18T14:43:44.037Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:43:44.037Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has taken photos and videos using the device\u2019s camera.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json b/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json
index 05db0b5ab0..7f46f8a5ae 100644
--- a/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json
+++ b/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b0c152c0-d438-420e-b4cf-1b0ed7d910ba",
+ "id": "bundle--0b3a5cab-45e4-497d-85b3-050ebe257861",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json b/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json
index a7645de02e..27a242889d 100644
--- a/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json
+++ b/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--feb58f48-06ab-47af-a6a1-10f074f4818e",
+ "id": "bundle--3be65477-3c4d-419f-be93-cd33ed9fc20d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json b/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json
index 3d8ba81cb0..98d2d13fd0 100644
--- a/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json
+++ b/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de28bf5f-4780-4b18-9800-7a3af2bac213",
+ "id": "bundle--4f4e5a7f-d664-4916-be03-ff11e2257149",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json b/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json
index 1068a6ef87..3f92af1a9f 100644
--- a/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json
+++ b/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d5942fc-25fd-42fa-be95-b26abfbbbbe8",
+ "id": "bundle--38f9e311-2c97-440d-8484-9023cedff129",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json b/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json
index 5d0fcc0586..4c8a0dd94b 100644
--- a/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json
+++ b/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ac262070-b9c6-4c3b-87e5-9d6e2848e984",
+ "id": "bundle--66976a20-ca84-48d8-a00c-bcabfb44cef2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json b/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json
index 34fba897bd..e6b1a63391 100644
--- a/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json
+++ b/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9bf1a0db-6429-4549-96cc-30d1727c9583",
+ "id": "bundle--33f09b44-3518-40dd-8626-fddecf1187da",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b697a198-8949-43e0-b2b8-23498373c920.json b/mobile-attack/relationship/relationship--b697a198-8949-43e0-b2b8-23498373c920.json
deleted file mode 100644
index bbfb8dd1eb..0000000000
--- a/mobile-attack/relationship/relationship--b697a198-8949-43e0-b2b8-23498373c920.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b93fa125-4a7a-40fe-aff9-d6019c8fdb2a",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--b697a198-8949-43e0-b2b8-23498373c920",
- "created": "2023-03-20T18:37:13.628Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:04.385Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json b/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json
index 25eb290c7e..f9fef752c2 100644
--- a/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json
+++ b/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--81eb621e-d3ca-4236-a900-c899854577f0",
+ "id": "bundle--8c45c3fa-8fa5-4234-8034-d179acfea0eb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json b/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json
index 259434223b..d94c6e0983 100644
--- a/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json
+++ b/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b2fd04b-0ee2-478b-a368-493ede8fb626",
+ "id": "bundle--4992dbe0-83d4-47d7-b265-a80a88413bcf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json b/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json
index ac29164082..7815d29f2c 100644
--- a/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json
+++ b/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a50f626d-7db6-4dab-b31e-0beb3a16db2f",
+ "id": "bundle--a03d290f-157f-4967-b43b-cd57730a3da2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json b/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json
index aef8fd5bee..a678e5e24c 100644
--- a/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json
+++ b/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2ba6bcd2-8d3d-460d-8644-a2de1a26caee",
+ "id": "bundle--bb4f9731-4785-42d8-a359-88309a518fca",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json b/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json
index 1a37f38531..592a944a86 100644
--- a/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json
+++ b/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5d856ad6-23a3-447e-b547-4814333b5592",
+ "id": "bundle--3a6df50c-e2f1-41a5-93a3-355354c0cc44",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json b/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json
index 93a0fc54eb..f25dafce1e 100644
--- a/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json
+++ b/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7cdba754-2cae-433f-8f3a-d9d08156c895",
+ "id": "bundle--be5b146a-042f-4bba-874e-1282420fd69a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json b/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json
index 3b5efe2643..ea4c8d8dd1 100644
--- a/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json
+++ b/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--57249709-9bfa-4c47-b473-7be7a04fe1ad",
+ "id": "bundle--c23aa657-8b77-4188-bf73-6b611c446db0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json b/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json
index ca1dbbd110..fb59a1e7a5 100644
--- a/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json
+++ b/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef290e0a-93af-4b23-9d05-fa893312e602",
+ "id": "bundle--33d46847-31d0-4810-a4d2-0b64ed23ffdd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json b/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json
index 0c5aee6cca..3d7a5755b2 100644
--- a/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json
+++ b/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7825a8d5-cefd-4311-8600-14d68b9c2faf",
+ "id": "bundle--778c2657-411b-41ae-9d1a-46aae054cda6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json b/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json
index 11c65ff5d0..2b03adf429 100644
--- a/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json
+++ b/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--10aac0a5-65dc-4978-a22e-757d656c2369",
+ "id": "bundle--cfff9977-f513-4d3c-b55c-443eead29e71",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json b/mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json
index 8d437922e4..ae4f393740 100644
--- a/mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json
+++ b/mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d275bd96-abda-4624-baef-5771908ec87d",
+ "id": "bundle--f82ccf83-e716-4db4-a2d8-77e3dc168913",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json b/mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json
index a63f1d8e3c..c9446ec478 100644
--- a/mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json
+++ b/mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--10ccb512-d9f5-46fc-ad92-f80c8e01b155",
+ "id": "bundle--7197c4f7-99ab-47f0-be2a-099f1fb13922",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b9330b2b-10cb-401a-8264-c6a0a1f44882.json b/mobile-attack/relationship/relationship--b9330b2b-10cb-401a-8264-c6a0a1f44882.json
new file mode 100644
index 0000000000..244debb951
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b9330b2b-10cb-401a-8264-c6a0a1f44882.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--c55c826b-c332-45de-ae1a-b22548f8171c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--b9330b2b-10cb-401a-8264-c6a0a1f44882",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072",
+ "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json b/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json
index 947ffbf9e1..4344cb360b 100644
--- a/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json
+++ b/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--900de08e-0640-472c-894b-86d135d0fc9b",
+ "id": "bundle--f6f7abbe-b001-4318-bb48-870f1dc4964e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json b/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json
index d0a72ca642..1a1a5e37f5 100644
--- a/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json
+++ b/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e2557711-a07f-4b07-b05a-ffff632e1c6b",
+ "id": "bundle--f475c8fc-5abf-4e2e-b2ab-8559ff58e501",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json b/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json
index a8353961c5..74d982affb 100644
--- a/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json
+++ b/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--540a1093-5dc6-4a79-94c3-2d608d4c93c1",
+ "id": "bundle--62bef1bd-19b5-4cbb-acc4-cffae6d551bd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json b/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json
index 0e9666f35c..fcdf79e020 100644
--- a/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json
+++ b/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70736ac0-36ea-4519-a8d7-0dd23ea3cc91",
+ "id": "bundle--3e987fcc-3d75-4785-96a7-060056a5cd25",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json b/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json
index 61375ad7ed..a0532ce67a 100644
--- a/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json
+++ b/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d68826da-3dff-4be3-bd8a-01877d0bb24a",
+ "id": "bundle--b77004fe-2eae-440f-981d-0e9dc284ef53",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json b/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json
index c7cbf02b21..e5c00f6c67 100644
--- a/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json
+++ b/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a74bfde9-be38-423b-8e4e-37b2208e1185",
+ "id": "bundle--a13325b7-0d42-4d43-af47-181806b9f586",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json b/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json
index 15e9d5fe1c..45b9161291 100644
--- a/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json
+++ b/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--43ccef10-0e33-4fa3-b43b-fa8b488f3075",
+ "id": "bundle--f52f0c85-4faf-491c-be3e-e95a519db4e0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json b/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json
index ee88582c73..051b14722f 100644
--- a/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json
+++ b/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--658fea59-5a84-4df4-9cb8-b46e6a2295a8",
+ "id": "bundle--5ac2cfea-68d5-49fc-84fe-258a3ac38b12",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json b/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json
index 9d2a07cad5..e38b4fa486 100644
--- a/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json
+++ b/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f599a2b8-3db0-48d3-b25a-af57e730cdfc",
+ "id": "bundle--657fc397-c738-40ab-980d-48f78e6d4a2c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf.json b/mobile-attack/relationship/relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf.json
deleted file mode 100644
index c9a3b35ebd..0000000000
--- a/mobile-attack/relationship/relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--80338c1f-587f-42a7-85db-753661b1b5f8",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf",
- "created": "2023-08-09T14:38:34.721Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:08.819Z",
- "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bae8eb3a-d11c-4a18-82a9-d3657dfa1b85.json b/mobile-attack/relationship/relationship--bae8eb3a-d11c-4a18-82a9-d3657dfa1b85.json
new file mode 100644
index 0000000000..96c19790cb
--- /dev/null
+++ b/mobile-attack/relationship/relationship--bae8eb3a-d11c-4a18-82a9-d3657dfa1b85.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--fc8a204b-8a49-4ab9-8b28-8db5ca3b92af",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--bae8eb3a-d11c-4a18-82a9-d3657dfa1b85",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179",
+ "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json b/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json
index 7a514e8c12..670c1cbf01 100644
--- a/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json
+++ b/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--404a0a06-1165-425b-a992-9b881f22c8e7",
+ "id": "bundle--50b75312-d135-4341-b6f4-a0ab9f0682e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json b/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json
index 0774c12176..0765d6a964 100644
--- a/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json
+++ b/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e492a2cb-2f29-4af5-8550-1235a1541013",
+ "id": "bundle--8ba24631-579e-4ce6-bfc8-76c98aed29a4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json b/mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json
index 17df320f0a..f707595a75 100644
--- a/mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json
+++ b/mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8b9baaf4-d218-4b88-960b-055b3df3dfa1",
+ "id": "bundle--8e8bd584-6025-4395-aa91-236807046774",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json b/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json
index 5b4b9d37ad..6fe15cda3e 100644
--- a/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json
+++ b/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--592069e1-99ed-4205-8924-5f1b03bd1252",
+ "id": "bundle--f2cc7efd-ed83-4cbf-8dbc-2cbe886a6d61",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bb6e0232-8205-4ae8-80a8-659d33056ac8.json b/mobile-attack/relationship/relationship--bb6e0232-8205-4ae8-80a8-659d33056ac8.json
new file mode 100644
index 0000000000..6b052fa98e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--bb6e0232-8205-4ae8-80a8-659d33056ac8.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--9798cf21-ba1d-4536-a484-e7f8b0c5ca0d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--bb6e0232-8205-4ae8-80a8-659d33056ac8",
+ "created": "2025-10-22T21:37:29.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-22T21:37:29.274Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json b/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json
index 7f4b9b36d4..9eb6d5de54 100644
--- a/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json
+++ b/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8355fbd3-f1dc-4b2c-9577-9be1c4690d74",
+ "id": "bundle--98445a82-52ac-4159-a842-bd5262ad7055",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json b/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json
index 05b8554e94..61122d7f4c 100644
--- a/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json
+++ b/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b26f777-00c4-481e-b110-76c9defd9ddf",
+ "id": "bundle--195554b6-6035-45f2-b612-894d28c3e54b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json b/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json
index 9d569280b1..46d3bdcfed 100644
--- a/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json
+++ b/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1cd2829b-cf08-4f6e-afba-adc088b2cf07",
+ "id": "bundle--6c4891db-1fd0-4ae1-82c7-639928f67d76",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json b/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json
index 1d8b076bd1..e0272dcc2d 100644
--- a/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json
+++ b/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--33714e0b-ae79-47b1-baa9-46aacf455597",
+ "id": "bundle--17ad4e96-204f-42d9-88d8-3444dcc341fd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json b/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json
index e0c167d896..b011f7bba4 100644
--- a/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json
+++ b/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6dde27c8-441d-4812-abe2-d1ad9aa967ba",
+ "id": "bundle--81515153-257f-4719-829f-a67e838c89e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json b/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json
index 637657a3de..f8b179701d 100644
--- a/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json
+++ b/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5cfa9449-277e-4c24-b633-518c1fd85ed2",
+ "id": "bundle--b8262d90-e3ea-4559-9023-45e0674a663c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json b/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json
index 3e67920acc..5388156129 100644
--- a/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json
+++ b/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--600bc619-1a57-4f66-83a3-236aa197c435",
+ "id": "bundle--49589014-8cc7-4e57-844f-f8b23ddeb5ac",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2.json b/mobile-attack/relationship/relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2.json
deleted file mode 100644
index 2dce52363d..0000000000
--- a/mobile-attack/relationship/relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--2366172d-2e89-4b6c-8954-b99fc68521f1",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2",
- "created": "2023-03-20T18:51:44.864Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:11.511Z",
- "description": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json b/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json
index 1c2e1fea3a..6176062991 100644
--- a/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json
+++ b/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eee899e2-9d2a-48ad-a58a-522760f14d36",
+ "id": "bundle--c6e2b00a-18e8-4b93-a1b7-a5a2a9d9ca3a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bc656065-d207-456e-a343-ea778ece5f69.json b/mobile-attack/relationship/relationship--bc656065-d207-456e-a343-ea778ece5f69.json
new file mode 100644
index 0000000000..b16ddd9ea9
--- /dev/null
+++ b/mobile-attack/relationship/relationship--bc656065-d207-456e-a343-ea778ece5f69.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--144e6f12-ee87-47ce-9d7f-6721a101089c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--bc656065-d207-456e-a343-ea778ece5f69",
+ "created": "2025-08-29T22:00:15.784Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:00:15.784Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling [GodFather](https://attack.mitre.org/software/S1231), to exfiltrate Google Authenticator one-time passwords and to steal credentials.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json b/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json
index a384d52014..2b386280dd 100644
--- a/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json
+++ b/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7f40d6c1-a19d-4bea-acde-94eaee1adc95",
+ "id": "bundle--56c786db-557a-4b21-b452-070f406ebd5e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json b/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json
index b44028d450..f58267a13c 100644
--- a/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json
+++ b/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d9d855d-5553-4e8c-9d8a-2224582f9c3c",
+ "id": "bundle--0157c925-5e58-4b35-998f-23f8293dbe16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json b/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json
index afab368985..d672b9e0b8 100644
--- a/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json
+++ b/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5692cc52-0045-4f41-9eae-611d491bc237",
+ "id": "bundle--1eb0204e-1e66-4453-b8f8-64300b218f95",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json b/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json
index 831960d8b1..5df1d0c641 100644
--- a/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json
+++ b/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--897486f5-635e-439d-81ca-e729f8483377",
+ "id": "bundle--6f146894-552a-4b08-a635-14fdfb5cbcd7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json b/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json
index 0519fa357d..a268796c22 100644
--- a/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json
+++ b/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a339589b-26b6-4ca4-95f6-6e90023e2411",
+ "id": "bundle--36885f7e-c4b1-4b86-81bb-9eb87c539a26",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json b/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json
index e5d148059c..7d86a0979c 100644
--- a/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json
+++ b/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50ddc111-1082-4012-ae8a-751d7b8be0a3",
+ "id": "bundle--c0da28bb-61ec-42b8-b924-315c65f4dba6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json b/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json
index ddd2529157..e851963fa7 100644
--- a/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json
+++ b/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f02c914c-61bc-46c0-9f27-78849abc7ae3",
+ "id": "bundle--d9e3fc88-1420-4464-a063-c05ecd652c1c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json b/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json
index ba9090daea..09c61e0841 100644
--- a/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json
+++ b/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f8f2af20-cbc9-4ce5-b05a-fb005df1a151",
+ "id": "bundle--ed589dfc-2c2b-4ee1-8052-18a68d03021b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--b610c587-576a-40cc-9f76-6362455c8ff4.json b/mobile-attack/relationship/relationship--bd696eda-b2a2-4114-9e6b-b9e9ce5d2de7.json
similarity index 51%
rename from mobile-attack/relationship/relationship--b610c587-576a-40cc-9f76-6362455c8ff4.json
rename to mobile-attack/relationship/relationship--bd696eda-b2a2-4114-9e6b-b9e9ce5d2de7.json
index f0ae1a0381..a6b1ed2139 100644
--- a/mobile-attack/relationship/relationship--b610c587-576a-40cc-9f76-6362455c8ff4.json
+++ b/mobile-attack/relationship/relationship--bd696eda-b2a2-4114-9e6b-b9e9ce5d2de7.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--c552e575-3089-49f7-9a90-b0ebfbbd5c54",
+ "id": "bundle--8694811d-bed5-4b4b-ba7d-6987ec10598d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--b610c587-576a-40cc-9f76-6362455c8ff4",
- "created": "2023-03-20T18:43:01.334Z",
+ "id": "relationship--bd696eda-b2a2-4114-9e6b-b9e9ce5d2de7",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:03.373Z",
- "description": "Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90",
"target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json b/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json
index bb7dcfd42e..29e0bff67d 100644
--- a/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json
+++ b/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bca03bb0-e9a7-4fda-ae99-9dcdaa367e1e",
+ "id": "bundle--3167ef24-4785-43be-95b2-a8e57fe38556",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json b/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json
index a5d9720fd9..7d1b1da446 100644
--- a/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json
+++ b/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--49051238-1863-40e0-affc-f9990171ff5d",
+ "id": "bundle--2a5dcd87-bf45-4f58-a4ba-71ea27f783d2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json b/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json
index b8738d37f9..34e4237826 100644
--- a/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json
+++ b/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6e62a1a-ab0c-4b30-8aff-9ac2a5cac81b",
+ "id": "bundle--d3e1bbeb-d0a8-4106-a769-1a7fd2156d76",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf.json b/mobile-attack/relationship/relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf.json
deleted file mode 100644
index 360a34f187..0000000000
--- a/mobile-attack/relationship/relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--cf092b67-e0e4-4838-8ea8-1ac5b8b81a29",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf",
- "created": "2023-03-16T18:28:28.144Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:14.552Z",
- "description": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json b/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json
index ae92b8d6c3..43a8d3ff01 100644
--- a/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json
+++ b/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6152d1d7-d8c2-4e75-8420-14e9ca3fb82f",
+ "id": "bundle--8d99c67c-3bd1-45a3-b7df-17d734f44f59",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be05e26b-4c1c-4c64-9d84-c8835e0b37b4.json b/mobile-attack/relationship/relationship--be05e26b-4c1c-4c64-9d84-c8835e0b37b4.json
new file mode 100644
index 0000000000..0baddce020
--- /dev/null
+++ b/mobile-attack/relationship/relationship--be05e26b-4c1c-4c64-9d84-c8835e0b37b4.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--681acdc2-0b10-439c-b697-ba1ab4b6ffc5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--be05e26b-4c1c-4c64-9d84-c8835e0b37b4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967",
+ "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json b/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json
index 357aa746f1..cfa400fcf3 100644
--- a/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json
+++ b/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--092b5e06-9219-4728-ad14-643d27b3b3cd",
+ "id": "bundle--2f079fab-baca-4eb8-8282-e5f48e4042d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json b/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json
index 0717f08666..93491fe2a3 100644
--- a/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json
+++ b/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe26d840-129d-42ef-b54c-1758ca79167f",
+ "id": "bundle--d15f5a2c-8f87-456e-a89c-fa87f4451885",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json b/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json
index b450ea50a7..b1c86aaa00 100644
--- a/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json
+++ b/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--696c8459-7ab8-42e1-b15f-2edf68add332",
+ "id": "bundle--ec6ccba6-bae5-424f-9e15-d74e7986d5d8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json b/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json
index 53b5778b3d..a7638edbaf 100644
--- a/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json
+++ b/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6802349d-9eb4-46fa-aa99-fa44775d4de7",
+ "id": "bundle--d9019d0d-84b5-43a0-9dfb-8a21486922a0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json b/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json
index 1aea3f9ce8..b12823db06 100644
--- a/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json
+++ b/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eba16488-2304-4e09-9c20-06bc2c77b077",
+ "id": "bundle--dbd41ef3-4ddb-48e8-8923-eedc98232a03",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json b/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json
index a288e72c33..ef6e5ff6bb 100644
--- a/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json
+++ b/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0c358111-851a-4807-a7bc-71a4ee591455",
+ "id": "bundle--f047192f-84ac-4b1d-a201-347914751c0e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json b/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json
index d6b6fa39d5..2330ab504d 100644
--- a/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json
+++ b/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed9d68ac-d59e-4cda-8909-c91d085a5348",
+ "id": "bundle--4c42c9d7-231a-4f2d-bff7-18171167aeab",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--be7c3f83-b164-4d53-bfac-65f7437dabec.json b/mobile-attack/relationship/relationship--be7c3f83-b164-4d53-bfac-65f7437dabec.json
deleted file mode 100644
index 990ef6f6f5..0000000000
--- a/mobile-attack/relationship/relationship--be7c3f83-b164-4d53-bfac-65f7437dabec.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--f67a7a14-9db2-4361-92f9-e83f3b32cca3",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--be7c3f83-b164-4d53-bfac-65f7437dabec",
- "created": "2023-03-20T18:54:36.266Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:16.372Z",
- "description": "The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json b/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json
index ce68476caf..aa1be26f64 100644
--- a/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json
+++ b/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--edbe4d72-93f9-4049-b2cd-8dcb664ff21c",
+ "id": "bundle--c7a61698-3291-4e2d-bdd0-4d7005074cb8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json b/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json
index 0e1155e2a3..9e76cc2714 100644
--- a/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json
+++ b/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed2c34a4-7ef2-492e-970f-6cf444035e8c",
+ "id": "bundle--de6df199-926a-498f-b9f8-9cf5f8c69fc5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json b/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json
index 7b2b798ed7..6a4ae7afa2 100644
--- a/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json
+++ b/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9da8733f-5f8b-4cef-9339-4c275483db63",
+ "id": "bundle--2e9b228c-8536-4aeb-bf16-7c46e54a920f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json b/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json
index a06e8e696c..466666f3c8 100644
--- a/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json
+++ b/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--30485945-51fd-4236-8d4a-50430a880c29",
+ "id": "bundle--6f41a9dd-219b-450e-bd0b-c1117519578e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json b/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json
index 4f46dc4751..081e6a4e5f 100644
--- a/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json
+++ b/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--21085637-4e81-4cbd-9325-1c35fa20b5c1",
+ "id": "bundle--e95eb4df-f90a-4688-8ce4-4aa61cbec8a7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json b/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json
index be72308a56..bb46a9c4a5 100644
--- a/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json
+++ b/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f9cc0633-5edb-4501-9226-8a20072e6bf4",
+ "id": "bundle--bb62efac-acfc-4682-b47c-20df53afdba6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json b/mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json
index 5d3a3fec96..23892a8d04 100644
--- a/mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json
+++ b/mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--134608a0-885e-4f1a-a61f-2ccd501353d3",
+ "id": "bundle--c7340fbb-3735-4aa9-a9f6-4b0858aa141b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json b/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json
index 7a949d1c87..dad84d306f 100644
--- a/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json
+++ b/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e568429-af6f-488e-8ee4-8d43bec1c877",
+ "id": "bundle--2f82e31a-89a2-4ee0-97af-a46c5c80f06f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json b/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json
index 8a96058ba2..7eed5e0d66 100644
--- a/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json
+++ b/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--43bf22ab-4e18-40f7-8da3-2420bc4df225",
+ "id": "bundle--0a7c0f64-a2ec-4c6a-973d-c79ba8aed739",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json b/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json
index 2650714c68..017dd82252 100644
--- a/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json
+++ b/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--628c0a07-c760-4fe5-8bc3-50bb0df7664b",
+ "id": "bundle--20794dd5-2f5f-47fe-a292-3f8016d98465",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json b/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json
index 2159206297..a997371117 100644
--- a/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json
+++ b/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b5217ff1-6424-422a-96fe-3ea45d3f9c7b",
+ "id": "bundle--b91460b9-5b03-45e1-83c5-c878f1a661d4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json b/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json
index a9a336eea1..d089880406 100644
--- a/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json
+++ b/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--461bb942-ad72-44d1-a151-5a981a9542ef",
+ "id": "bundle--a7daf96b-701a-4ef0-800c-758be46b59af",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json b/mobile-attack/relationship/relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json
deleted file mode 100644
index 4826de23fb..0000000000
--- a/mobile-attack/relationship/relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--e300fb6e-caf5-4c2e-bb79-4fa2a560fa7a",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0",
- "created": "2023-03-15T16:39:32.117Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:19.170Z",
- "description": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
- "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c0121974-44ba-425d-9445-2d6598a5bc66.json b/mobile-attack/relationship/relationship--c0121974-44ba-425d-9445-2d6598a5bc66.json
new file mode 100644
index 0000000000..117bd56c58
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c0121974-44ba-425d-9445-2d6598a5bc66.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--92dbe98e-faf7-4696-b27b-b436fe1593e7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c0121974-44ba-425d-9445-2d6598a5bc66",
+ "created": "2025-08-29T21:56:42.565Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-12T20:59:15.937Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has abused the Accessibility Service to mimic victims\u2019 actions and to redirect victims to its StubActivity when the victims attempt to use the original, legitimate banking application.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json b/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json
index 85f00a0b4f..a4068883dc 100644
--- a/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json
+++ b/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5e933cda-705d-44da-9c66-5e05d2737499",
+ "id": "bundle--f41d8c87-05a7-4963-80fc-6a1d354ee709",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c04d6143-6878-47b4-8be7-b205c3942b1d.json b/mobile-attack/relationship/relationship--c04d6143-6878-47b4-8be7-b205c3942b1d.json
new file mode 100644
index 0000000000..e5ee8d1006
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c04d6143-6878-47b4-8be7-b205c3942b1d.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--16223e9f-d378-45cb-beea-d01578e5c9a4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c04d6143-6878-47b4-8be7-b205c3942b1d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae",
+ "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json b/mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json
index ab5b416e58..3be1cc4123 100644
--- a/mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json
+++ b/mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--82ef72d2-b2e4-4c97-ba21-6b702ec38f96",
+ "id": "bundle--079bf607-3e83-4eb4-815a-b93a83d3756e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json b/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json
index f73e0d8b2a..fb075444f2 100644
--- a/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json
+++ b/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--21e21e8b-0499-4754-91d1-c87226ea99f6",
+ "id": "bundle--0f1db95e-ee69-4084-bbc2-5b4f58767ecd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c0d2e769-fb30-4aba-a39d-875e6926513a.json b/mobile-attack/relationship/relationship--c0d2e769-fb30-4aba-a39d-875e6926513a.json
new file mode 100644
index 0000000000..579a164099
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c0d2e769-fb30-4aba-a39d-875e6926513a.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--007e3e76-e9c3-463e-b7ac-bc1e0d695245",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c0d2e769-fb30-4aba-a39d-875e6926513a",
+ "created": "2025-09-18T14:39:15.185Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:39:15.185Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has deleted files on the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json b/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json
index dc0c101668..4d4f43de8a 100644
--- a/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json
+++ b/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--928781ee-be61-4fd0-b819-f98ff89c3057",
+ "id": "bundle--27609fe4-75b8-41df-8013-8c01a9bb7ded",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json b/mobile-attack/relationship/relationship--c130e347-38ab-48fd-8779-946477e53dfa.json
similarity index 52%
rename from mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json
rename to mobile-attack/relationship/relationship--c130e347-38ab-48fd-8779-946477e53dfa.json
index 63c633172c..7245ec3148 100644
--- a/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json
+++ b/mobile-attack/relationship/relationship--c130e347-38ab-48fd-8779-946477e53dfa.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--821e20be-b624-4abf-82ec-4131ae6667c1",
+ "id": "bundle--cc85ae75-fae6-4714-8941-02fd0f4871e4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549",
- "created": "2023-03-20T18:24:56.396Z",
+ "id": "relationship--c130e347-38ab-48fd-8779-946477e53dfa",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:45.628Z",
- "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "source_ref": "x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json b/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json
index 11b960c6d5..28180e3ea7 100644
--- a/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json
+++ b/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--368be793-fb6d-4793-9f1f-079ded91e0dc",
+ "id": "bundle--884b774b-86af-493c-b288-d91de26b2f36",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json b/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json
index 6bbfb7d0fc..debc83be33 100644
--- a/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json
+++ b/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--17bbfb92-9eaf-41b9-bd77-205c2f216796",
+ "id": "bundle--c347be2b-37bb-4f7e-bb6d-83a6343cdadf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json b/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json
index 3bb7850e09..fdb2957513 100644
--- a/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json
+++ b/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d76bafe-5192-4767-81cc-e6e2e9ff4e97",
+ "id": "bundle--d277d993-9151-4f58-bfbf-c414c833d33b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c15acd70-6527-4788-baa9-51a11b996164.json b/mobile-attack/relationship/relationship--c15acd70-6527-4788-baa9-51a11b996164.json
new file mode 100644
index 0000000000..629441e551
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c15acd70-6527-4788-baa9-51a11b996164.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--18846812-2565-494f-ad96-54381cd938b5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c15acd70-6527-4788-baa9-51a11b996164",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4",
+ "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json b/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json
index dea93c704e..b93a17bdd0 100644
--- a/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json
+++ b/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--febf83ce-50f3-43e4-9230-564160f82e98",
+ "id": "bundle--5cf0c60d-7fb6-486a-9d0a-fa48b8d68d50",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json b/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json
index 15cdeaaeb9..f34bee687a 100644
--- a/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json
+++ b/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--06c2d3d8-3927-43d5-bfd3-7007da4fdee0",
+ "id": "bundle--e82cddd0-3150-40ac-8a02-3cec58d6fbde",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json b/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json
index bf2b580e60..739232fc9a 100644
--- a/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json
+++ b/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f974c75f-4db6-4ec2-ba53-806f850fde09",
+ "id": "bundle--54f67e97-42b0-486c-8c33-d2ed4c95f9b1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json b/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json
index e2f010a575..46a12efb3b 100644
--- a/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json
+++ b/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3795a4d9-db5d-45ec-b74f-4db047e74dd1",
+ "id": "bundle--14088709-b607-415a-8060-1511bb2109d8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json b/mobile-attack/relationship/relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json
deleted file mode 100644
index e560d2f6c0..0000000000
--- a/mobile-attack/relationship/relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--9ebe5c8d-4720-4404-838d-11d650289ed4",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd",
- "created": "2023-03-20T15:40:11.819Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:21.785Z",
- "description": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c23d9eff-1d4e-479f-a114-acc535540a23.json b/mobile-attack/relationship/relationship--c23d9eff-1d4e-479f-a114-acc535540a23.json
deleted file mode 100644
index 477d990ea9..0000000000
--- a/mobile-attack/relationship/relationship--c23d9eff-1d4e-479f-a114-acc535540a23.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b3cb0a17-ba23-4ddc-b023-c52a0ed3aa4c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c23d9eff-1d4e-479f-a114-acc535540a23",
- "created": "2023-03-20T18:46:51.895Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:21.973Z",
- "description": "Application vetting services can detect unnecessary and potentially abused permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json b/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json
index 77112e8afd..0dbf4ae37d 100644
--- a/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json
+++ b/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--764c6eb9-d7fa-4d36-a37e-ef83b4d0275e",
+ "id": "bundle--0a845f3b-e41c-456c-a599-6a2a837f283d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json b/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json
index 26d86207cf..0b72b5ff99 100644
--- a/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json
+++ b/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1e32ac17-e83f-4ae8-bf2a-f1532c3dc16e",
+ "id": "bundle--303203d2-4a24-41db-b77a-82f4a42dbab8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--9b56528f-cf04-4d81-80ee-7bacb862383a.json b/mobile-attack/relationship/relationship--c2a684c0-29ad-4c5b-86c0-ef8be9c5d796.json
similarity index 51%
rename from mobile-attack/relationship/relationship--9b56528f-cf04-4d81-80ee-7bacb862383a.json
rename to mobile-attack/relationship/relationship--c2a684c0-29ad-4c5b-86c0-ef8be9c5d796.json
index c64c97cf8f..ec1008b756 100644
--- a/mobile-attack/relationship/relationship--9b56528f-cf04-4d81-80ee-7bacb862383a.json
+++ b/mobile-attack/relationship/relationship--c2a684c0-29ad-4c5b-86c0-ef8be9c5d796.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--331cfc3e-77c3-4584-aca3-3401c28aaffc",
+ "id": "bundle--820e4f51-a0d9-4bcd-8f35-9256773b7918",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--9b56528f-cf04-4d81-80ee-7bacb862383a",
- "created": "2023-03-20T18:57:33.693Z",
+ "id": "relationship--c2a684c0-29ad-4c5b-86c0-ef8be9c5d796",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:25.266Z",
- "description": "Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4",
"target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c30d659c-dd17-4fb0-9b88-2f29427f273b.json b/mobile-attack/relationship/relationship--c30d659c-dd17-4fb0-9b88-2f29427f273b.json
new file mode 100644
index 0000000000..feb42ea6c9
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c30d659c-dd17-4fb0-9b88-2f29427f273b.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--89d03af2-c3fd-448f-8965-e406af0be652",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c30d659c-dd17-4fb0-9b88-2f29427f273b",
+ "created": "2025-06-16T17:28:37.128Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "SahinSRLabs_FluBot_Dec2021",
+ "description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.",
+ "url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-16T17:28:37.128Z",
+ "description": "[FluBot](https://attack.mitre.org/software/S1067) abuses accessibility features in three ways: steal application credentials, evade detection and removal, and send SMS for lateral movement.(Citation: SahinSRLabs_FluBot_Dec2021) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json b/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json
index 3a55fa75a5..5c8a6ffc20 100644
--- a/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json
+++ b/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1456b18b-9e95-4a62-8118-ddbe345ee3fb",
+ "id": "bundle--b0366e12-ea8a-4b6b-a5a9-094665a3b113",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json b/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json
index d0320754f0..3e78f05baf 100644
--- a/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json
+++ b/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3bcd35dc-00ec-4480-a987-f584e99bce71",
+ "id": "bundle--667e03e3-89b5-44fc-8050-f838d8401514",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json b/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json
index 9922472aaa..e36bdd8948 100644
--- a/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json
+++ b/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e5cf4d61-8485-4fb2-9224-bf8fea788721",
+ "id": "bundle--44042526-15d8-4b1f-8bfd-006930d149b7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json b/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json
index 6268bb666e..201e251bdd 100644
--- a/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json
+++ b/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d0567a06-c784-4245-ac24-951943f8a8ff",
+ "id": "bundle--46f80578-4ce8-41d0-9fe7-2f5cb6fc3fce",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619.json b/mobile-attack/relationship/relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619.json
deleted file mode 100644
index d5f8a9c248..0000000000
--- a/mobile-attack/relationship/relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--a85c56e6-b18e-473e-bdfb-9449fadf289b",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619",
- "created": "2023-03-20T18:44:04.803Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:23.978Z",
- "description": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json b/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json
index acbd4935cf..75b8201bdc 100644
--- a/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json
+++ b/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7f72a9c0-161e-407b-b9e9-d82c0743fcd7",
+ "id": "bundle--f000bd01-36fa-497b-8217-768786efdb4c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c3e1aa57-a721-488f-8ac7-4fcb0f987153.json b/mobile-attack/relationship/relationship--c3e1aa57-a721-488f-8ac7-4fcb0f987153.json
new file mode 100644
index 0000000000..2d69efa287
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c3e1aa57-a721-488f-8ac7-4fcb0f987153.json
@@ -0,0 +1,37 @@
+{
+ "type": "bundle",
+ "id": "bundle--33c94eae-2a0b-4e04-9add-60b2a51116ea",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c3e1aa57-a721-488f-8ac7-4fcb0f987153",
+ "created": "2025-08-29T21:58:20.970Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:58:20.970Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has gathered a list of installed applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json b/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json
index 1512124b8f..0a691defc0 100644
--- a/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json
+++ b/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2a691d60-05d3-4c9d-b91e-de69338c86cb",
+ "id": "bundle--0d9c62ac-f455-4b92-bd07-9054ed0cf173",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json b/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json
index 8f72ff3a0f..71265c2035 100644
--- a/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json
+++ b/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aa5da45e-1e89-4d5b-8cef-5c6196b28244",
+ "id": "bundle--8c54e672-2acb-4629-a30e-d34125aa2fd6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json b/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json
index 0eae49e506..31a7aaedfc 100644
--- a/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json
+++ b/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f9975932-36b2-46e8-94d6-d083520c68ef",
+ "id": "bundle--f380024f-99a4-490e-9ad8-5a8430ce0171",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb.json b/mobile-attack/relationship/relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb.json
deleted file mode 100644
index 8eb6bbfb09..0000000000
--- a/mobile-attack/relationship/relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--2747eb0b-7ee2-401a-97e7-d31b3f58e306",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb",
- "created": "2023-03-20T18:43:03.537Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:24.999Z",
- "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76.json b/mobile-attack/relationship/relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76.json
deleted file mode 100644
index 8160e32e4d..0000000000
--- a/mobile-attack/relationship/relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--632578fc-91ad-4f7b-9062-44618c5dabd3",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76",
- "created": "2023-03-20T18:42:18.058Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:25.234Z",
- "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json b/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json
index 1a6613255a..9d8e9686a6 100644
--- a/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json
+++ b/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--760cf246-ec93-4608-b0c7-8169db46fbf3",
+ "id": "bundle--bba5cbdb-2bf2-4d7a-8eca-6f38be7231e1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json b/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json
index 60953da15b..69c47ec079 100644
--- a/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json
+++ b/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb55131e-ea01-4fb8-b233-dee525ef3a5c",
+ "id": "bundle--f9e44595-c003-4637-a513-b9d1ba92cb52",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json b/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json
index 317e729aa7..91f38e61f2 100644
--- a/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json
+++ b/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--854e2edf-5527-4c50-8db9-b72162618ea4",
+ "id": "bundle--bf5c63dc-d337-48af-8487-1d52230fec75",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json b/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json
index 6bbf76fbe9..ce3d5c3b7e 100644
--- a/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json
+++ b/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b409ad63-fb67-422c-8d6a-7511bdd815c0",
+ "id": "bundle--ae5310be-3bd2-434c-bb37-c5c7d57a8df6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json b/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json
index 7ee9858e7a..a9c8fe0848 100644
--- a/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json
+++ b/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--515243ee-900b-4ce8-a5ab-179b69f8484b",
+ "id": "bundle--c1a04b4f-36cd-41bc-bced-dad6bc7af6d5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json b/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json
index 789a2de276..65aa96828a 100644
--- a/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json
+++ b/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de183c86-d33e-47cf-a507-17e3117c92e3",
+ "id": "bundle--02ff5cbe-3f73-4fad-aad0-ade1ad44acd7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json b/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json
index a045aeeb3b..bd7a5618e8 100644
--- a/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json
+++ b/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--db7be4cf-00f0-4775-a5e5-498b0a47a894",
+ "id": "bundle--85abb224-5381-4e2d-90d4-6d27f6c5a040",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json b/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json
index 7a74e951ff..5dbe74e679 100644
--- a/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json
+++ b/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e69060b2-3e95-4e06-aae1-c15c8ef06593",
+ "id": "bundle--d0dfb85d-a52e-4624-80fb-e6844869ac28",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json b/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json
index d39dd1d62e..6e8606f2e2 100644
--- a/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json
+++ b/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a414d818-f4b3-41e5-b8bb-42852f18a372",
+ "id": "bundle--bf7dfffb-31d2-4b5c-84c6-b805953c7c73",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json b/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json
index 680fdbc664..97311648f1 100644
--- a/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json
+++ b/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--373af56c-ea22-4ef0-9299-c86bb2ca3f70",
+ "id": "bundle--5c2c3463-2138-4fad-bf83-9e413ce4b818",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json b/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json
index 1762f3a522..f3680d8df8 100644
--- a/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json
+++ b/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--558078c0-8015-4140-a211-dd2291bbbf64",
+ "id": "bundle--7226e4a4-f6e2-43d2-be40-202bf70f8a09",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json b/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json
index e8d931fd98..efa7521767 100644
--- a/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json
+++ b/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca540b2c-d0ae-45ce-b963-71f326e3fa7d",
+ "id": "bundle--7ca403bc-014d-4369-96c2-990f2ac58b16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json b/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json
index 75fb2e12f7..0bc6e4138a 100644
--- a/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json
+++ b/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a413817a-d127-4021-9645-0bcf4a1f326a",
+ "id": "bundle--54f30152-e9b3-4a26-b8f8-709463afb1a7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json b/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json
index 546ad5c289..77cccfe00f 100644
--- a/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json
+++ b/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--20f865fa-4489-4a4b-8c7e-80333ec91c35",
+ "id": "bundle--b3a66c85-f1ad-4f53-985e-f129a95737e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json b/mobile-attack/relationship/relationship--c6758ea0-3343-4707-b563-69b901f90745.json
similarity index 52%
rename from mobile-attack/relationship/relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json
rename to mobile-attack/relationship/relationship--c6758ea0-3343-4707-b563-69b901f90745.json
index 451af7bc9e..67a7ea14d8 100644
--- a/mobile-attack/relationship/relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json
+++ b/mobile-attack/relationship/relationship--c6758ea0-3343-4707-b563-69b901f90745.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--dc284dd4-a5f4-4f01-872d-9dc96594cc1b",
+ "id": "bundle--dde3a082-1e86-4e82-9467-7bedd6b41886",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1",
- "created": "2023-03-15T16:24:12.588Z",
+ "id": "relationship--c6758ea0-3343-4707-b563-69b901f90745",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:01.672Z",
- "description": "Application vetting services can detect when an application requests administrator permission.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f",
"target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json b/mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json
index 3f1239bb3d..a48f4aa7f0 100644
--- a/mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json
+++ b/mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28fb2c50-a41e-487f-a562-18f67b613a32",
+ "id": "bundle--b8229836-5985-4fa0-b012-c7186df6626b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json b/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json
index 233f801f74..88d5a76ae4 100644
--- a/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json
+++ b/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62533089-d4ef-473b-ad4b-2a7bdff863a3",
+ "id": "bundle--17bf6568-744f-4249-a86f-c950ccb9d0df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93.json b/mobile-attack/relationship/relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93.json
deleted file mode 100644
index 1a7913fdf6..0000000000
--- a/mobile-attack/relationship/relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--ab6d2f10-9915-49db-83b1-9cebe13c64ad",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93",
- "created": "2023-03-20T18:21:59.396Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:28.899Z",
- "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
- "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json b/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json
index 1e214d13e6..2cfc9646c4 100644
--- a/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json
+++ b/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--317bb68d-b044-4900-9cd6-9df0f756ec94",
+ "id": "bundle--669f841c-c525-4ad7-a98c-443d3a9f88b6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c6d7f454-8dc1-4928-a668-f71aba491e45.json b/mobile-attack/relationship/relationship--c6d7f454-8dc1-4928-a668-f71aba491e45.json
new file mode 100644
index 0000000000..5bff13dbad
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c6d7f454-8dc1-4928-a668-f71aba491e45.json
@@ -0,0 +1,37 @@
+{
+ "type": "bundle",
+ "id": "bundle--fd27baaf-beb8-4806-acac-8cabdc36e69e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c6d7f454-8dc1-4928-a668-f71aba491e45",
+ "created": "2025-08-29T22:07:08.828Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ },
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T14:34:29.099Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) [GodFather](https://attack.mitre.org/software/S1231) has also obtained the phone's state, including network information, phone number, and serial number.(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json b/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json
index f23006a142..5c935feb4a 100644
--- a/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json
+++ b/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ad426be3-e58b-4732-a0cc-3df102bc8e3e",
+ "id": "bundle--9950e720-c534-468a-8d4b-ab6b05343f91",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json b/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json
index 184a457875..733eb5871d 100644
--- a/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json
+++ b/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13fee28e-8482-4b0f-a51c-9250847bd19e",
+ "id": "bundle--c75236f9-0886-4ad6-a0ca-9d5a5bd13bce",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json b/mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json
index 1aa06d41e3..b1f5c8da2e 100644
--- a/mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json
+++ b/mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7960e600-fc52-457e-b247-3c8324a56dd8",
+ "id": "bundle--d80895cc-58f1-42eb-8fdf-a638885b55d2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2.json b/mobile-attack/relationship/relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2.json
deleted file mode 100644
index bda09bf9b3..0000000000
--- a/mobile-attack/relationship/relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--eb6e46ae-147a-4a83-bdc0-084c9f9b0a02",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2",
- "created": "2023-03-20T18:48:39.857Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:29.959Z",
- "description": "On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json b/mobile-attack/relationship/relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json
deleted file mode 100644
index 0fca4b0aef..0000000000
--- a/mobile-attack/relationship/relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--4ce8bb51-6d03-4c4a-9052-052c464d4392",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47",
- "created": "2023-03-20T15:20:11.652Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Android-VerifiedBoot",
- "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
- "url": "https://source.android.com/security/verifiedboot/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:30.160Z",
- "description": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
- "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c7b0fddc-939f-44e7-8a78-b15ff0afaf67.json b/mobile-attack/relationship/relationship--c7b0fddc-939f-44e7-8a78-b15ff0afaf67.json
new file mode 100644
index 0000000000..43fb393aa1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c7b0fddc-939f-44e7-8a78-b15ff0afaf67.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--cbaced28-d1f0-40ba-a852-dfdff84bca59",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c7b0fddc-939f-44e7-8a78-b15ff0afaf67",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8",
+ "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json b/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json
index be5b702d80..a24e69f72b 100644
--- a/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json
+++ b/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a9a3a0b2-8dde-4ca4-ab62-ce8052bb2c34",
+ "id": "bundle--cd4f3838-0216-4bfb-a73e-b1cbd21ea340",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json b/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json
index 52a9918bb3..08390227ac 100644
--- a/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json
+++ b/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5ff4d93b-0130-44e3-b665-4a5c13e080ed",
+ "id": "bundle--b6e34500-f867-483a-b134-c86f7fa4475e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json b/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json
index 12f0c24d5e..e95ef3e4b9 100644
--- a/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json
+++ b/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d69782d4-e670-42e0-a640-dc8b14444cc7",
+ "id": "bundle--4de6ca87-7516-4468-8a08-b47db111aec3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c836cf05-3e52-4b6e-8ade-a3e620dd32ad.json b/mobile-attack/relationship/relationship--c836cf05-3e52-4b6e-8ade-a3e620dd32ad.json
new file mode 100644
index 0000000000..0861aeeaf3
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c836cf05-3e52-4b6e-8ade-a3e620dd32ad.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--54f0a552-5bbc-4ae0-9135-12f6435009f4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--c836cf05-3e52-4b6e-8ade-a3e620dd32ad",
+ "created": "2025-08-29T22:03:53.396Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:03:53.396Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `CALL_PHONE` permission to initiate phone calls.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json b/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json
index 4e8b61c3c3..c3c8263316 100644
--- a/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json
+++ b/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b657dd1-31df-48b1-bad9-e49fafcb500e",
+ "id": "bundle--d6990d8f-34f2-44e7-82ae-6cbb260be854",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json b/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json
index f5bb74e87f..4617e826ad 100644
--- a/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json
+++ b/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1703e879-7fb2-4904-b610-1caaa51550ba",
+ "id": "bundle--44abc007-edec-4daf-9329-55fa6ce5c1c1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json b/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json
index d84188cf34..f997e7dd55 100644
--- a/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json
+++ b/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eab2f086-9291-4284-a333-5ff93d64619e",
+ "id": "bundle--7841bca7-3ca4-432a-9207-37f69327d7e6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json b/mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json
index b259834171..b610f7aa6e 100644
--- a/mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json
+++ b/mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4cc69c74-50bb-4a6e-a7c8-2436a801d9c6",
+ "id": "bundle--2a222fd5-9a43-41dc-b235-47412e0b2525",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json b/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json
index 0b9e9a0782..bc38133d39 100644
--- a/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json
+++ b/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62c035a9-8a1c-44f1-b8a9-ea4b41523352",
+ "id": "bundle--a9de9737-4fdd-4664-8d3d-f1b361ff1d31",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json b/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json
index 844f16de61..f2f16ccbc6 100644
--- a/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json
+++ b/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bae63bc1-897e-4a6d-915f-808e7fb8b345",
+ "id": "bundle--b421a628-9988-469c-9cbf-2e74637d7e66",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json b/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json
index e9e20e365b..a59bd3751b 100644
--- a/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json
+++ b/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ace4f3f2-b5f5-47a5-b19a-e679c4ddd1c5",
+ "id": "bundle--9b7085c9-064c-4d5c-b348-e9dad49418bf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--3a18f41d-876c-403a-80cc-47ef57ae630d.json b/mobile-attack/relationship/relationship--c91d3d41-2862-4a64-a29e-8c36dad06382.json
similarity index 51%
rename from mobile-attack/relationship/relationship--3a18f41d-876c-403a-80cc-47ef57ae630d.json
rename to mobile-attack/relationship/relationship--c91d3d41-2862-4a64-a29e-8c36dad06382.json
index cb9eb17b4a..6d01d26886 100644
--- a/mobile-attack/relationship/relationship--3a18f41d-876c-403a-80cc-47ef57ae630d.json
+++ b/mobile-attack/relationship/relationship--c91d3d41-2862-4a64-a29e-8c36dad06382.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--8098ad66-76da-43f4-ae98-0547323d370a",
+ "id": "bundle--61d57313-6253-46f6-8f52-d36657077098",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--3a18f41d-876c-403a-80cc-47ef57ae630d",
- "created": "2023-09-25T19:53:56.034Z",
+ "id": "relationship--c91d3d41-2862-4a64-a29e-8c36dad06382",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:01.976Z",
- "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "source_ref": "x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0",
"target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c943d462-fea7-4c01-88b2-de134153095b.json b/mobile-attack/relationship/relationship--c943d462-fea7-4c01-88b2-de134153095b.json
deleted file mode 100644
index e922964e94..0000000000
--- a/mobile-attack/relationship/relationship--c943d462-fea7-4c01-88b2-de134153095b.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--beee521a-51a8-4362-ac53-3a2807732597",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--c943d462-fea7-4c01-88b2-de134153095b",
- "created": "2023-03-20T18:56:37.473Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:32.821Z",
- "description": "Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json b/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json
index bcb022a27b..2377f3632e 100644
--- a/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json
+++ b/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d4e08c3-8db0-4969-b547-a491e5e8930b",
+ "id": "bundle--074221c2-cf63-46ec-a3ef-9e0e4f88b4b8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json b/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json
index e82b3c6582..7e4f854cde 100644
--- a/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json
+++ b/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d0b3c02-6452-432e-8f37-96ac74d666a4",
+ "id": "bundle--ef42a59e-1c4a-49b7-8ab7-b422b5e875ea",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json b/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json
index 3da96ed213..701a75d747 100644
--- a/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json
+++ b/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6eae891f-11cc-4554-95e1-cf6aafd8af6b",
+ "id": "bundle--a09c0daa-7fd0-441f-8e1a-9ce84dddf23d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json b/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json
index 8e8f2f92b8..7f1c6bb930 100644
--- a/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json
+++ b/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a8a6916-c215-448e-8515-21e5d30c6468",
+ "id": "bundle--bb14be77-f825-4dfa-9340-6b76b79f5ade",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json b/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json
index 5a214eb92e..d8dd10b9b3 100644
--- a/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json
+++ b/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cf759c09-4cfc-4287-b430-bc570ec74b6a",
+ "id": "bundle--45dd2155-8fdb-43d1-9f34-c7e64942c5f9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json b/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json
index 0487e17f7c..8ef5b3de98 100644
--- a/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json
+++ b/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6f6f1fb-01b9-45d0-9e33-56aed9bc282e",
+ "id": "bundle--1b479ae6-8d01-4cb6-aa8f-841e1b7f011f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json b/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json
index ecf83bcf3d..a8cf9f2241 100644
--- a/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json
+++ b/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--15c7f95b-c7d0-4bdc-997b-38ca46946290",
+ "id": "bundle--71f73d06-f1f7-4660-bffb-dc0f5aa75745",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json b/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json
index a8658b3556..6f89cd916f 100644
--- a/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json
+++ b/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--49364b48-11f2-4428-8ce4-0f0f9a85fe85",
+ "id": "bundle--265908ad-f73f-4645-9c9c-630013e5c8b0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json b/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json
index 154b3ea8c1..da7d6dd4d6 100644
--- a/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json
+++ b/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2adecd75-8f15-43d5-8a9a-ef7e1d15b589",
+ "id": "bundle--4fbc1c90-07f1-406e-b9c1-c7bc6bfcd439",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json b/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json
index 90dbcf26fa..983f400b03 100644
--- a/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json
+++ b/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--14f32258-2ea6-45c5-a585-dc5c09b65b23",
+ "id": "bundle--2b589eef-41b5-45a5-aa95-5ee7f05009ae",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json b/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json
index 351cd61918..679413ce31 100644
--- a/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json
+++ b/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--57a28444-63ff-4950-a793-20b1118039d1",
+ "id": "bundle--cb70cfbb-6872-4091-b82a-1691bcabcc6e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cb2fcc6e-2728-4961-96f4-583e24c45e28.json b/mobile-attack/relationship/relationship--cb2fcc6e-2728-4961-96f4-583e24c45e28.json
new file mode 100644
index 0000000000..1379eb759a
--- /dev/null
+++ b/mobile-attack/relationship/relationship--cb2fcc6e-2728-4961-96f4-583e24c45e28.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e08bae8d-78fb-4fd2-b539-a18be39ad544",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--cb2fcc6e-2728-4961-96f4-583e24c45e28",
+ "created": "2025-06-25T15:35:12.240Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:35:12.240Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has used a commercial packer named Jiagubao to evade static detection.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json b/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json
index 05b55aa25a..a27ef5413d 100644
--- a/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json
+++ b/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--91d2ddf4-1daf-4fd3-8535-132480a0210b",
+ "id": "bundle--aef809d3-41df-4ee7-9ade-c942780120df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json b/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json
index 7eac5c7c8f..cf88aa8df4 100644
--- a/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json
+++ b/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a2774b5-8fb8-4676-ba43-77d8c40f4be5",
+ "id": "bundle--e98f7dec-302f-49e7-a437-0319ed60e84f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json b/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json
index e3ad277d9d..b0603111dc 100644
--- a/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json
+++ b/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--664cf6a6-db9c-4ec2-bb4e-729e835b5531",
+ "id": "bundle--77091ab4-d0f5-4669-a038-189d1d56aae5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json b/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json
index afc6dee394..343c1a8838 100644
--- a/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json
+++ b/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ee057e69-9c85-47e8-bc6a-87c26f72d12f",
+ "id": "bundle--8a482084-3fd7-47b6-aa38-ee6e46b7a583",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json b/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json
index 3504166eb8..b48a03d6f6 100644
--- a/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json
+++ b/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39790722-b17b-43d7-8879-923696c29d20",
+ "id": "bundle--258a671c-c679-4410-b0e1-b57bb62cbc0d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json b/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json
index 51ceae059e..a6b4bb7e75 100644
--- a/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json
+++ b/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cae2f5a2-f538-4f96-8fec-08d0a15371e5",
+ "id": "bundle--10414667-3dc6-45ca-b5b3-bdfc6c40ce8c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json b/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json
index c7bdf62eb9..97887b1f36 100644
--- a/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json
+++ b/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--61b324ae-d847-45d5-921f-e2e0d0ba6e3a",
+ "id": "bundle--73ec360b-8db0-483f-aaa4-0b6f051b04b6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json b/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json
index 4aa5c49f49..d5d81534e2 100644
--- a/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json
+++ b/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--95f2e27e-bb1c-4a62-af28-309b2102ff61",
+ "id": "bundle--7efba3b5-6c0d-4154-b878-e4679544e8db",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json b/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json
index 1a3aeb9d98..88c5298c11 100644
--- a/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json
+++ b/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9b0ca3d-1186-4cd5-b77a-3d544feac126",
+ "id": "bundle--ecb23d41-5c3d-4a90-9fb5-d943064a81ac",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json b/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json
index f45ee1abe2..c2104015c7 100644
--- a/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json
+++ b/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4ff69d3b-6daa-4cbc-8756-3a58f0b9b0d4",
+ "id": "bundle--8a5294c3-cb08-4887-af5e-f61cbc72f89f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json b/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json
index f6c9130d81..c92146d53b 100644
--- a/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json
+++ b/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d5a8c6e-0182-4a76-86b9-4fce38e1dd11",
+ "id": "bundle--ef88affe-fffe-49a0-869c-ee15ebb8ccf0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json b/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json
index 64ea007f7e..1effc8ab03 100644
--- a/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json
+++ b/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--960a0182-ada2-4a94-af6f-2655119fca20",
+ "id": "bundle--207bc1b5-de02-439f-a35d-500562f14b17",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json b/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json
index 1027959e0b..a3fb7ea9b6 100644
--- a/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json
+++ b/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d29e4faa-7797-4981-83a6-58f91bb9c28c",
+ "id": "bundle--856c44ed-3c22-4cb3-9168-b57445f122d0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json b/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json
index a3310e8c38..6cd4142011 100644
--- a/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json
+++ b/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a1a40cc9-dd4f-4382-824e-de78179df22b",
+ "id": "bundle--fe683405-be11-4ba0-983d-26dcb57af6a3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json b/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json
index 86e76a4c77..ce244cfc1c 100644
--- a/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json
+++ b/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--08a81f1e-5c69-4c8f-96dc-659dffd9f155",
+ "id": "bundle--438e36bd-969e-4b5f-a093-cab948f74e46",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json b/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json
index bc242e1a1a..f6a2ef7fa3 100644
--- a/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json
+++ b/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ac60eaa4-993c-451c-add1-7bf8fd0b7a49",
+ "id": "bundle--005bab90-ccd2-4c9e-8f29-bbf7b8c683a6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json b/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json
index 32b6ad6fe0..a02daf0f36 100644
--- a/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json
+++ b/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28ac4e4f-a626-4ae1-a058-0e4ab0942148",
+ "id": "bundle--ea3cf21f-20a8-4b7e-8a20-009f68940194",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json b/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json
index 39e0e04ea5..7a34dba4f7 100644
--- a/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json
+++ b/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--deb3f150-c8da-46a5-917b-454ee1a4e466",
+ "id": "bundle--606437e0-6fcb-4300-83e6-7fbfdbe45006",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ccf741d0-9a3d-4b37-822e-a74267032279.json b/mobile-attack/relationship/relationship--ccf741d0-9a3d-4b37-822e-a74267032279.json
new file mode 100644
index 0000000000..48742d4a5f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ccf741d0-9a3d-4b37-822e-a74267032279.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e33894b3-7be4-4af3-87b7-d3ef233aee5c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--ccf741d0-9a3d-4b37-822e-a74267032279",
+ "created": "2025-08-29T22:01:27.430Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:01:27.431Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has generated fake notifications to lure the victim to phishing pages.(Citation: MerkleScience_Godfather_April2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json b/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json
index ce96cc368c..3bb8c6e679 100644
--- a/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json
+++ b/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--56186369-6156-4504-94cc-4b06719ec11e",
+ "id": "bundle--b00040f7-9ec9-4c5a-beb8-6cb0badb7f16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json b/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json
index 59335f57b1..196aff4901 100644
--- a/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json
+++ b/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5efb7b6b-5e59-46eb-a8aa-add430e59d85",
+ "id": "bundle--19c89e65-eea0-4f58-a68c-b91754966dcc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd13a6b2-2edf-4b2e-a8e3-3ed11b48a6de.json b/mobile-attack/relationship/relationship--cd13a6b2-2edf-4b2e-a8e3-3ed11b48a6de.json
new file mode 100644
index 0000000000..c030609b47
--- /dev/null
+++ b/mobile-attack/relationship/relationship--cd13a6b2-2edf-4b2e-a8e3-3ed11b48a6de.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--fa28b066-7223-4c48-92ff-5dc257c95014",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--cd13a6b2-2edf-4b2e-a8e3-3ed11b48a6de",
+ "created": "2025-09-08T16:36:01.835Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T16:36:01.835Z",
+ "relationship_type": "revoked-by",
+ "source_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
+ "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json b/mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json
index e1dbee266e..fd7a4317c1 100644
--- a/mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json
+++ b/mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6fd05b57-0903-4575-a302-d9faaa8a9f40",
+ "id": "bundle--0029d1ca-cf2f-42d0-a310-6c514f255fc3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json b/mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json
index 238f5ed52b..9f5797c5ea 100644
--- a/mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json
+++ b/mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3b68b15-69b0-47db-85e2-bf2c1c6569bc",
+ "id": "bundle--30f89937-63df-469a-aefb-de5847c36bc7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json b/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json
index 394641ae12..ed785b64ec 100644
--- a/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json
+++ b/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d1ff642-dc5f-454d-a1d0-df9f84b4006b",
+ "id": "bundle--ec3d0787-54e3-4b9c-aaf6-3307de69335f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json b/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json
index 62f8b16bf4..62488347b5 100644
--- a/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json
+++ b/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9cfb597e-006c-435a-b869-9c3b47dad5e4",
+ "id": "bundle--f4c9f067-0760-472e-b161-0e68f7e81a63",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json b/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json
index 1a0fa0ae80..75894f4922 100644
--- a/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json
+++ b/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--59df630f-3230-45c7-a6da-e43f6d0fd1d1",
+ "id": "bundle--4297eb98-464f-44ee-979b-624fce5b4737",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json b/mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json
index 0df591c466..46fe8cbf4a 100644
--- a/mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json
+++ b/mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a421ecc0-2971-49f5-ae31-6d965e001b4c",
+ "id": "bundle--60c5db1e-7d61-4b05-b056-48a60b87ea9a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json b/mobile-attack/relationship/relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json
deleted file mode 100644
index 2903ae1ed8..0000000000
--- a/mobile-attack/relationship/relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--de069c4c-95a6-49f8-a569-4f06be4d9d0e",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca",
- "created": "2023-03-20T18:58:19.895Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:41.112Z",
- "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json b/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json
index e2599d8f23..47d764639f 100644
--- a/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json
+++ b/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c0d1a57a-6e82-4513-b0a1-163b26502b63",
+ "id": "bundle--a2556b0c-3262-4bdc-b580-c22b25dd399b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json b/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json
index fadfbf0881..7cbd7e66c1 100644
--- a/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json
+++ b/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--14b79592-a3e4-45c0-b41c-2e7801c0b3c4",
+ "id": "bundle--6d62c5f0-af12-4b46-97cd-3c80551d9cbc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json b/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json
index b2116cc4a6..2d2a65375a 100644
--- a/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json
+++ b/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--74b314b9-419e-4258-9c7b-7b7b4bb07706",
+ "id": "bundle--32862b6d-e79a-43ab-a116-b283a870750d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json b/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json
index 6420cbc902..15aee2e2b5 100644
--- a/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json
+++ b/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1d26398b-5173-4220-ba5f-58ce4e95bfd6",
+ "id": "bundle--dbc49366-c13b-48c1-bac9-1356184e0381",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json b/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json
index 0e4374c20e..5490ab11e4 100644
--- a/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json
+++ b/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--778335c0-04ce-4216-9e4f-e3623481b752",
+ "id": "bundle--0e9f70b4-e53e-42bf-963e-1a3bb565dc3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json b/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json
index e3d1b334be..2b0f364dde 100644
--- a/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json
+++ b/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0dda689f-ec43-49a3-94d8-6fa52d9b2aab",
+ "id": "bundle--f433aa1e-45ec-41e2-9980-784392501d15",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ce5e7227-bf1d-4d73-9c90-efc37a2c6521.json b/mobile-attack/relationship/relationship--ce5e7227-bf1d-4d73-9c90-efc37a2c6521.json
new file mode 100644
index 0000000000..bfbe042420
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ce5e7227-bf1d-4d73-9c90-efc37a2c6521.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--d79a19df-1f1b-407e-b711-f0781083d7fe",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--ce5e7227-bf1d-4d73-9c90-efc37a2c6521",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495",
+ "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b.json b/mobile-attack/relationship/relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b.json
deleted file mode 100644
index 2f3728f790..0000000000
--- a/mobile-attack/relationship/relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--59118bdf-2d52-4991-b917-e1b51dd9c698",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b",
- "created": "2023-03-20T15:56:47.307Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:42.577Z",
- "description": "The user can see which applications are registered as device administrators in the device settings.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json b/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json
index e25b7daaae..0b032acf49 100644
--- a/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json
+++ b/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5ac2f45f-8806-4793-9bcf-b97b06737b9e",
+ "id": "bundle--de60377d-a3d9-4e68-9755-d89e066c8a4c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json b/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json
index 747b076501..b726c9862b 100644
--- a/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json
+++ b/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b25ec126-a916-46b4-ad86-0e16472dbacb",
+ "id": "bundle--89d27feb-ed21-44d0-b034-04e60fd77bcf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json b/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json
index e8626be5e3..f3e1b08197 100644
--- a/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json
+++ b/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f1c61498-08d2-4038-ae10-c073a57ec654",
+ "id": "bundle--ebce2555-fb66-4fbf-87c6-073310f3f5c5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json b/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json
index aef667747b..7bd4714ef4 100644
--- a/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json
+++ b/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6624e1ab-ed0e-4066-9739-834aa42551bd",
+ "id": "bundle--9c21abd1-9bfc-4dae-870d-687698e1d233",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cea64a5c-1a69-4714-a6b9-2c6764f1fcab.json b/mobile-attack/relationship/relationship--cea64a5c-1a69-4714-a6b9-2c6764f1fcab.json
new file mode 100644
index 0000000000..19d09cfe06
--- /dev/null
+++ b/mobile-attack/relationship/relationship--cea64a5c-1a69-4714-a6b9-2c6764f1fcab.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e400d93b-ac4d-4bc8-828e-edb29f70f9c7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--cea64a5c-1a69-4714-a6b9-2c6764f1fcab",
+ "created": "2025-10-08T14:42:37.400Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:42:37.400Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has compressed and encrypted collected data with a password from the C2 server.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json b/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json
index ba50993e26..4f25e4a95a 100644
--- a/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json
+++ b/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cf97d136-80ad-4c16-bc06-5c62e3cefaa2",
+ "id": "bundle--d86e504c-aa47-469c-96b8-e69323961f65",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json b/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json
index 279dc08bc0..1aff952416 100644
--- a/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json
+++ b/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b5218d11-8c37-411a-a393-f7b92cfc520b",
+ "id": "bundle--aae6d86a-638e-4805-ba15-3f5c1c0feb91",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json b/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json
index 1df63cbb99..9f17b365e6 100644
--- a/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json
+++ b/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a5ab6d2-372f-4a9c-863b-49d58e12c76b",
+ "id": "bundle--b7aabb57-f664-49b7-a690-9debe4457daa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json b/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json
index dec11ce4c6..85afd3cd75 100644
--- a/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json
+++ b/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e28e321e-d433-4bd2-b14a-9622a79de444",
+ "id": "bundle--2993c6a8-46ec-43d3-9b62-c8aba99ecc12",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263.json b/mobile-attack/relationship/relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263.json
deleted file mode 100644
index 67c59410a9..0000000000
--- a/mobile-attack/relationship/relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--9302ab29-9fbd-4585-8416-47e8d8fe19d0",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263",
- "created": "2023-03-15T16:23:59.107Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:44.484Z",
- "description": "When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf70a7c5-1118-4d19-8c83-63a86b233917.json b/mobile-attack/relationship/relationship--cf70a7c5-1118-4d19-8c83-63a86b233917.json
new file mode 100644
index 0000000000..06d298f487
--- /dev/null
+++ b/mobile-attack/relationship/relationship--cf70a7c5-1118-4d19-8c83-63a86b233917.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--bad6741d-8acb-475c-81d2-70892933f8bb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--cf70a7c5-1118-4d19-8c83-63a86b233917",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json b/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json
index 7fd716e054..47ce729bcc 100644
--- a/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json
+++ b/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b381169e-766d-456a-b763-2ccb1a67f27f",
+ "id": "bundle--60172c1a-1206-4ad5-8f7b-2ea15abdb52b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json b/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json
index 9af102c65a..8c8e6f61b2 100644
--- a/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json
+++ b/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--488a5a5f-4ecc-45c6-ab61-596a2ab79a77",
+ "id": "bundle--0b5238ee-944f-4fad-9f78-6e8a3731fcce",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json b/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json
index c2def5b195..0e0f3a0813 100644
--- a/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json
+++ b/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b57a3b62-3e0e-4aef-a7ee-948c8bbff3f9",
+ "id": "bundle--f47b0106-c018-4846-94af-35ee1f2e7190",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json b/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json
index ec1d791d11..9a66571cc7 100644
--- a/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json
+++ b/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--788974e4-15db-4345-ab65-fa7bdcd2c87a",
+ "id": "bundle--9011dfa9-8afc-472c-877f-892c88ab445a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json b/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json
index b5f5f7bb2e..537f458722 100644
--- a/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json
+++ b/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--98ada0a9-0349-432c-b775-31a357cba0f3",
+ "id": "bundle--3beb0953-6615-4a05-8d2f-bd7720e10bb4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json b/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json
index 1f9f6a0025..6d51497a02 100644
--- a/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json
+++ b/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3a7825e7-b06b-473b-80d5-97cc4b099059",
+ "id": "bundle--4e2ca6f3-4a86-49ad-b0c7-55d6f5dceb29",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json b/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json
index 8805c385eb..79dcf4727d 100644
--- a/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json
+++ b/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2076bcee-2547-4251-94f8-3fc7b2915c17",
+ "id": "bundle--c5d2288f-8b52-4cdf-9a67-cc86abb45d47",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json b/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json
index 5c57511264..e77f9b22e4 100644
--- a/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json
+++ b/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0900cb0a-e160-4140-9b66-4fb9ba3af839",
+ "id": "bundle--1b01ac9c-a124-4b29-8dd9-8254333608c1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json b/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json
index 5eb5c35f96..bda83fc2f2 100644
--- a/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json
+++ b/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c97c6bee-d1b4-430f-862e-afa711acf898",
+ "id": "bundle--4b1e49d8-8dcb-4780-bf8d-4d3b94682095",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json b/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json
index 7ee9f90308..7c9351e809 100644
--- a/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json
+++ b/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f9387911-985e-47b4-9d2f-5c2a9ea8340f",
+ "id": "bundle--b4e7c002-c749-41a0-8e40-f5fe6c7683db",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json b/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json
index f4b4853fb4..5986b11b02 100644
--- a/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json
+++ b/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b80435b-abea-45dc-9029-23aa39e7274b",
+ "id": "bundle--53bf8f09-8759-48e8-97be-0fc1457b7bf6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json b/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json
index da21d4114f..102282cc07 100644
--- a/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json
+++ b/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9b5fcd48-1e2b-463d-ba59-3654356240c5",
+ "id": "bundle--faec91c5-b590-4faa-9894-14bc08cf9ba5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d170a088-b115-4a86-b093-8aa32666a470.json b/mobile-attack/relationship/relationship--d170a088-b115-4a86-b093-8aa32666a470.json
deleted file mode 100644
index 835c5bb95a..0000000000
--- a/mobile-attack/relationship/relationship--d170a088-b115-4a86-b093-8aa32666a470.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--628e026a-ed52-4e1b-a96c-233469719704",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--d170a088-b115-4a86-b093-8aa32666a470",
- "created": "2023-03-15T16:39:55.148Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:47.377Z",
- "description": "On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
- "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json b/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json
index 4b9440351f..e1302d5e71 100644
--- a/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json
+++ b/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef8143ef-1cab-4084-97e8-89673e49258d",
+ "id": "bundle--c21739c8-eccc-44c9-a4f9-3023d1b72f6e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json b/mobile-attack/relationship/relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json
deleted file mode 100644
index 7e097c2c8b..0000000000
--- a/mobile-attack/relationship/relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--e21c8473-f671-477c-8c51-a5ece0f8a8cf",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e",
- "created": "2023-09-22T19:15:22.670Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:47.781Z",
- "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json b/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json
index 0b198a6a22..9d0c2d7d59 100644
--- a/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json
+++ b/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--86736fad-8fe2-418a-b06b-b507076a2b85",
+ "id": "bundle--bd6c4e91-1498-4678-a5d4-11b9fc4edf12",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json b/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json
index dd02420399..b1f7fd0854 100644
--- a/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json
+++ b/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9666b4e5-4778-4744-a6f1-380fcb4cf44a",
+ "id": "bundle--f9ff8575-4a11-43ab-bdbe-c71023ac29ac",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json b/mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json
index cdf1827162..294c1dba44 100644
--- a/mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json
+++ b/mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b7e4573-f7bc-4569-8127-07d5d9750046",
+ "id": "bundle--25968f0c-75d6-410c-82f6-8ead871ebe30",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json b/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json
index 27f369d2d6..27c522b070 100644
--- a/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json
+++ b/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--704006e7-e6ca-4184-b79b-3310da3b2c45",
+ "id": "bundle--344f212e-3237-4ca1-aa97-5a379210f9b6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json b/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json
index 844bfd5cc1..c6323b41fb 100644
--- a/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json
+++ b/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--548cf1bb-abe7-4338-8a00-ea0430f40edf",
+ "id": "bundle--55631a70-bd53-4a1a-bf0f-dd3f48a02071",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d3007886-00d1-4796-83da-f8ff26f4ac52.json b/mobile-attack/relationship/relationship--d3007886-00d1-4796-83da-f8ff26f4ac52.json
new file mode 100644
index 0000000000..fb5af3ed30
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d3007886-00d1-4796-83da-f8ff26f4ac52.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--e491ff1e-95dd-4f55-bfe2-5593e0cc2dcd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d3007886-00d1-4796-83da-f8ff26f4ac52",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0",
+ "target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json b/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json
index e0ed9a73b8..3e149158dc 100644
--- a/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json
+++ b/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d5cc22b-13c3-4593-8f54-37cfd69c7f94",
+ "id": "bundle--e7893400-7ef4-4951-843a-b2583ddf1f47",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--322d0123-ea4c-4562-a718-672952c83d05.json b/mobile-attack/relationship/relationship--d3129d65-5d7f-434b-b2c7-043a6d8488e7.json
similarity index 53%
rename from mobile-attack/relationship/relationship--322d0123-ea4c-4562-a718-672952c83d05.json
rename to mobile-attack/relationship/relationship--d3129d65-5d7f-434b-b2c7-043a6d8488e7.json
index f5f281fda2..892da4707c 100644
--- a/mobile-attack/relationship/relationship--322d0123-ea4c-4562-a718-672952c83d05.json
+++ b/mobile-attack/relationship/relationship--d3129d65-5d7f-434b-b2c7-043a6d8488e7.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--5d82b34a-1e8f-4d6e-a99c-3f4d7ecc0394",
+ "id": "bundle--65598820-b8d5-4190-8e03-158d07c6f518",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--322d0123-ea4c-4562-a718-672952c83d05",
- "created": "2023-03-20T18:55:54.372Z",
+ "id": "relationship--d3129d65-5d7f-434b-b2c7-043a6d8488e7",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:47:49.939Z",
- "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6",
"target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json b/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json
index 0a3c7c26aa..753bc45d98 100644
--- a/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json
+++ b/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--98003cc5-2b3e-42d4-8971-527a68adc24d",
+ "id": "bundle--359e30ac-05b3-4ad4-8a04-d78f598b91c1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json b/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json
index a0478c3df2..e19074b8cc 100644
--- a/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json
+++ b/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--95848bef-9a98-4b41-ba43-369a54d37206",
+ "id": "bundle--17a796d9-7d10-48fb-af3f-abe872b5d418",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json b/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json
index 9340f33ad3..968679cc26 100644
--- a/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json
+++ b/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--857228cd-aa39-4145-b9a0-bcd1f2b07459",
+ "id": "bundle--f1a4dc4f-be66-4ffc-a892-7f410980e6b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d.json b/mobile-attack/relationship/relationship--d3aa489f-35e9-4f9c-b710-6c77f0eff18e.json
similarity index 51%
rename from mobile-attack/relationship/relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d.json
rename to mobile-attack/relationship/relationship--d3aa489f-35e9-4f9c-b710-6c77f0eff18e.json
index 2c7a8a1086..1f0d3313b4 100644
--- a/mobile-attack/relationship/relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d.json
+++ b/mobile-attack/relationship/relationship--d3aa489f-35e9-4f9c-b710-6c77f0eff18e.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--5897f63c-37e1-4341-a545-c4c49d0f52cc",
+ "id": "bundle--5c1b4ded-ac63-466c-9e2a-4092d3654a6d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d",
- "created": "2023-03-20T15:55:09.279Z",
+ "id": "relationship--d3aa489f-35e9-4f9c-b710-6c77f0eff18e",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:01.137Z",
- "description": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json b/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json
index 284ed1dd04..995520b70a 100644
--- a/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json
+++ b/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e45a91ea-0be0-4cde-9865-e746b3e9a807",
+ "id": "bundle--c210d8c5-1df5-468f-820f-3e2ba0ad0705",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json b/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json
index 90a7e66b20..e0336fddab 100644
--- a/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json
+++ b/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d80109fe-1f86-4561-8347-19ccc41f6fce",
+ "id": "bundle--4dd8065d-5e82-4ad0-90dc-031a639f6bf9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json b/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json
index ae3521e16a..06d2b2a654 100644
--- a/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json
+++ b/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--253c4ef0-669a-4685-a4c9-9a941f1ef894",
+ "id": "bundle--6314a7aa-5362-4182-a992-5562d1067c1a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json b/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json
index 4f6d357b6f..7cb569767b 100644
--- a/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json
+++ b/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--709d2d92-a6bd-4bc4-996b-58c79d3401f8",
+ "id": "bundle--7b5b6175-71bd-4400-aea3-f86f3c7b1981",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86.json b/mobile-attack/relationship/relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86.json
deleted file mode 100644
index 9111b6d6d2..0000000000
--- a/mobile-attack/relationship/relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--602950f1-3d74-4236-892d-c74c8e11e7ed",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86",
- "created": "2023-03-20T15:16:43.275Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "Samsung Knox Mobile Threat Defense",
- "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
- "url": "https://partner.samsungknox.com/mtd"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:50.562Z",
- "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json b/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json
index 95b2aa3c96..049b60a8d9 100644
--- a/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json
+++ b/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f75ccf8-f0c4-45b7-b620-e1ffd5d766d2",
+ "id": "bundle--0b0e20d1-680e-43ce-8325-961911e7b06a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json b/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json
index e4f8a39eda..7ebed16172 100644
--- a/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json
+++ b/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--92868836-de70-4713-b796-b358bd7bcbf2",
+ "id": "bundle--900bd058-ec48-487f-b38d-b368c695a43d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json b/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json
index 36f9796fe8..a9ef9c53ed 100644
--- a/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json
+++ b/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3dc1b44d-47d1-48a8-ab37-be726cfde257",
+ "id": "bundle--bf95aa8b-3e43-47d5-8b25-3b34645564e2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json b/mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json
index a5ca805564..7d4968fea1 100644
--- a/mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json
+++ b/mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--44110420-6238-427d-a2fc-3b424a4fb481",
+ "id": "bundle--85d1c6a1-1c4c-4857-8c94-40ab42f1afac",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json b/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json
index 84ba14fbda..04fb0379b5 100644
--- a/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json
+++ b/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--db2304d6-a8e4-473e-a9fb-e0472bca3b1b",
+ "id": "bundle--3d2f5ed0-9f86-4bb2-ae41-bed95bd73018",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d51b73d7-ebfe-48e5-ac85-3980c9bd3cbc.json b/mobile-attack/relationship/relationship--d51b73d7-ebfe-48e5-ac85-3980c9bd3cbc.json
new file mode 100644
index 0000000000..b1e211e8b1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d51b73d7-ebfe-48e5-ac85-3980c9bd3cbc.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--08534ec5-d325-47c8-85b9-78d06e575051",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d51b73d7-ebfe-48e5-ac85-3980c9bd3cbc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7",
+ "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json b/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json
index c2ffbdd46c..1d38ef1ddd 100644
--- a/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json
+++ b/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--691f5497-9285-4586-802f-92a00de1af3f",
+ "id": "bundle--2d5cec49-aa1c-49f2-b8c8-cb14b2558c15",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json b/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json
index bf2f0f47fd..5dc281da1d 100644
--- a/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json
+++ b/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f2d19ef-cd46-4692-8e8d-51acffde4d82",
+ "id": "bundle--af38fb82-90ef-460f-ad0e-81ef3f9c428b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json b/mobile-attack/relationship/relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json
deleted file mode 100644
index b20dd46414..0000000000
--- a/mobile-attack/relationship/relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--381a38cb-9623-4c37-b809-fe6334dbbaa9",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb",
- "created": "2023-03-20T18:58:14.140Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:52.157Z",
- "description": "The user can review which applications have location permissions in the operating system\u2019s settings menu.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json b/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json
index 71f516ddee..caae60bd32 100644
--- a/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json
+++ b/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0c1e6983-3105-48b3-82a2-5401805482c5",
+ "id": "bundle--d4f6c8b7-b3ad-4153-b878-95fb25b25d6a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json b/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json
index e1957b6784..6421e9a9c3 100644
--- a/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json
+++ b/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1de90816-92c6-47de-96aa-974a52455679",
+ "id": "bundle--58c6a946-bf9c-42b4-a129-000adf564412",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json b/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json
index 1d5735ef49..4e2aa4ee7f 100644
--- a/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json
+++ b/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8972af0-d56a-4499-b97f-fd10ad308cf8",
+ "id": "bundle--f9b6ecc5-c76f-4746-b742-2acb510ab8f0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json b/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json
index 11ed4ed68c..a95b1c1155 100644
--- a/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json
+++ b/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a49697d8-3a12-4320-8094-ec660c93cf80",
+ "id": "bundle--fd48df92-0c4d-4f22-99ea-9f6db3e200e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d5c8eba4-3954-40c7-b800-afa6bc1105c9.json b/mobile-attack/relationship/relationship--d5c8eba4-3954-40c7-b800-afa6bc1105c9.json
new file mode 100644
index 0000000000..c1f3a3475f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d5c8eba4-3954-40c7-b800-afa6bc1105c9.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--be839c94-94ac-49fe-8a0b-8bf8e0c5862d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d5c8eba4-3954-40c7-b800-afa6bc1105c9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff",
+ "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json b/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json
index 8866fb025f..1c18e38cc5 100644
--- a/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json
+++ b/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5d786d88-4f55-4557-8eb9-e57808813a16",
+ "id": "bundle--36083429-0dc4-4c78-9941-9b5e2394bbdb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d622d417-6439-40e8-ac3b-10463beeeb8f.json b/mobile-attack/relationship/relationship--d622d417-6439-40e8-ac3b-10463beeeb8f.json
new file mode 100644
index 0000000000..1c20f013db
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d622d417-6439-40e8-ac3b-10463beeeb8f.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--36b52776-53df-426c-8df5-62e74f8209f8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d622d417-6439-40e8-ac3b-10463beeeb8f",
+ "created": "2025-10-08T14:38:31.286Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:38:31.286Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected account names and their types from the device.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json b/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json
index 80625c374a..84e7c84104 100644
--- a/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json
+++ b/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8299046e-4182-4189-9c17-dece1209af40",
+ "id": "bundle--121778c1-9376-474c-8fcd-bfe7c8f7c233",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json b/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json
index f70592b022..a4af4ddd9a 100644
--- a/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json
+++ b/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d384731f-f756-404b-a307-f9ed09bfc75c",
+ "id": "bundle--70a9e244-e752-4c0e-a1b8-ffa11d673b49",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json b/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json
index 67267912ef..7d554decf8 100644
--- a/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json
+++ b/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b5dfe9f-6ff0-41a6-8fad-6dbc4d7ac6f6",
+ "id": "bundle--d2272de0-2aa9-43e5-9907-578c4ef85c05",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json b/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json
index afefc8f8dc..ed17780dc9 100644
--- a/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json
+++ b/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--61e75dfb-c30a-49e6-ae62-8e1a0c664a72",
+ "id": "bundle--6044e388-704c-4cae-b822-5676910a2267",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7.json b/mobile-attack/relationship/relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7.json
deleted file mode 100644
index 87a07ff4b7..0000000000
--- a/mobile-attack/relationship/relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--0d5842a6-8e18-4416-ad46-9e7e0bcfc891",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7",
- "created": "2023-03-20T15:16:28.177Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:54.530Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
- "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json b/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json
index ae717f2186..f168928e57 100644
--- a/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json
+++ b/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c343e12f-5da2-4dcd-a71b-cf5431eee77c",
+ "id": "bundle--2112e8d1-0ced-4233-8bb9-07e44b589c00",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json b/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json
index d11dea4c5e..cd2379f5ba 100644
--- a/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json
+++ b/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9d455e8b-8fc8-4a13-bc85-2eaa3672b547",
+ "id": "bundle--eeb791c6-761a-4ebd-a4a2-eefdf566b4cf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json b/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json
index c3b4cb9174..70a5ac0688 100644
--- a/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json
+++ b/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8709b28d-42be-42ad-8062-64db798f788e",
+ "id": "bundle--168e427e-e010-409a-b50c-ce6a89bf319f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json b/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json
index bebab7f922..f3deb7f8b5 100644
--- a/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json
+++ b/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--925689f6-4a07-4ab7-bdf4-c35a60a020ac",
+ "id": "bundle--f00d1f6e-fa31-40f6-81ad-f74eec94e023",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5.json b/mobile-attack/relationship/relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5.json
deleted file mode 100644
index 582356b526..0000000000
--- a/mobile-attack/relationship/relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--8e3e9fb9-680a-416c-82df-ac4eb64b004c",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5",
- "created": "2023-03-20T18:50:21.296Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:51:55.563Z",
- "description": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json b/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json
index 0e6defad8e..ca8470f6d3 100644
--- a/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json
+++ b/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--516bee26-a760-436b-a69a-e9feae2702ac",
+ "id": "bundle--fb57932f-a460-4b2b-a9cc-5900168a0e23",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json b/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json
index 2465dcedc0..18c422a725 100644
--- a/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json
+++ b/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d8873d42-0c51-42ae-9636-e773c8942e08",
+ "id": "bundle--65bfac03-d4a5-41bc-8c73-32c95a9d26c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json b/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json
index b9e166eb67..1a0ba68d75 100644
--- a/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json
+++ b/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f66637a0-35a1-43c2-8978-b92019e5c72b",
+ "id": "bundle--29080e7f-b79b-46ae-adf2-2b8f25c626cf",
"spec_version": "2.0",
"objects": [
{
@@ -13,20 +13,20 @@
{
"source_name": "Trend Micro iOS URL Hijacking",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
- "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
+ "url": "https://web.archive.org/web/20211023221110/https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:56.181Z",
+ "modified": "2025-09-08T16:44:09.588Z",
"description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json b/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json
index 8b76ccb5dc..53d516d121 100644
--- a/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json
+++ b/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aa6c2f14-8bec-4e35-b1e4-7620333a83e0",
+ "id": "bundle--2916b740-f2e2-427c-8f82-8698e0c7a080",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json b/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json
index 76a268559c..dda4b13880 100644
--- a/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json
+++ b/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d60def5-b995-437f-a261-243e10729061",
+ "id": "bundle--d94611c7-e43e-43d8-b996-736bf39eb5ba",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json b/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json
index af21379c33..66b4d933a2 100644
--- a/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json
+++ b/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da76322d-2b22-455f-87d4-1affd7f3f538",
+ "id": "bundle--b52fc61e-8c80-4ea2-9275-4a0795420244",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json b/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json
index 73716a7ddc..0bf77e927f 100644
--- a/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json
+++ b/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--881cce7a-5730-4066-8256-6602a47150ee",
+ "id": "bundle--d0ff81b6-b216-40f4-b657-7bddc34ef6b7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d7b7d0f4-2312-4207-824d-332904b81759.json b/mobile-attack/relationship/relationship--d7b7d0f4-2312-4207-824d-332904b81759.json
new file mode 100644
index 0000000000..8a659aaa5b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d7b7d0f4-2312-4207-824d-332904b81759.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--e7be0eab-b271-4704-ad58-ccdbfb7bfdbd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d7b7d0f4-2312-4207-824d-332904b81759",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04",
+ "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7bd4131-a95e-4f6a-a9ce-113079f1dbec.json b/mobile-attack/relationship/relationship--d7bd4131-a95e-4f6a-a9ce-113079f1dbec.json
new file mode 100644
index 0000000000..b6d98d6329
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d7bd4131-a95e-4f6a-a9ce-113079f1dbec.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--77b4ba6b-ff1c-4dd8-9e81-95f3d2bbb249",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d7bd4131-a95e-4f6a-a9ce-113079f1dbec",
+ "created": "2025-08-29T21:56:01.595Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T21:56:01.595Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has obfuscated its Android manifest file with irrelevant permissions and manifest strings.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json b/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json
index 459efdcdf0..c05aed996e 100644
--- a/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json
+++ b/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18abbe5a-6677-4ffd-8a31-40f90cb5ecac",
+ "id": "bundle--93d2c460-c6b6-4f36-8c61-d33f9cdefbe6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d7d6f1dd-9ed2-48a5-8c81-6dc09181d3fd.json b/mobile-attack/relationship/relationship--d7d6f1dd-9ed2-48a5-8c81-6dc09181d3fd.json
new file mode 100644
index 0000000000..1d9f9e2f30
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d7d6f1dd-9ed2-48a5-8c81-6dc09181d3fd.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--73927213-b21a-4c28-b870-e9ef11ae59ac",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d7d6f1dd-9ed2-48a5-8c81-6dc09181d3fd",
+ "created": "2025-08-29T22:03:31.202Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "MerkleScience_Godfather_April2023",
+ "description": "Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.",
+ "url": "https://www.merklescience.com/blog/the-godfather-android-malware-threat-under-the-lens"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-08-29T22:03:31.202Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `SEND_SMS` permission to send SMS messages.(Citation: MerkleScience_Godfather_April2023)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json b/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json
index 8d1219194f..9681cdee43 100644
--- a/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json
+++ b/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df949b14-c8bb-4ad5-9ea2-232de2af13c0",
+ "id": "bundle--a57ee62f-2db7-43c2-9506-30579c4b00d9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json b/mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json
index da79ee857b..c227d6901f 100644
--- a/mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json
+++ b/mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--31703f57-9054-4820-85a2-f2e6b6cc8998",
+ "id": "bundle--1cafb589-e927-46a2-9e44-cc7528954e2b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json b/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json
index bf1453b054..7f4684b9f8 100644
--- a/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json
+++ b/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--42409fd3-1212-47d6-88d3-fd32575bd9cf",
+ "id": "bundle--1690c80e-f7a2-49c5-b2e3-022082a3d682",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json b/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json
index d339c03945..8b49a3d878 100644
--- a/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json
+++ b/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3250c394-b66e-461e-ba57-6ced5ed310bc",
+ "id": "bundle--1c636e3e-a63a-43f3-9a2e-37c93ada307b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json b/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json
index 548770bef0..37498b751d 100644
--- a/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json
+++ b/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--582edf28-86b7-433d-8d82-0eb31ca6ca94",
+ "id": "bundle--ff86d396-3c73-4d65-8883-b02a896947fc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json b/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json
index 224230ee71..9d37d216c6 100644
--- a/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json
+++ b/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cdff8f19-c092-462d-a092-ca359222c2c6",
+ "id": "bundle--d1eafe3d-8f95-45ce-8bee-083ff72a2d6e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json b/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json
index 55c428ef48..1d5273cfdc 100644
--- a/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json
+++ b/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4f5ae7c0-69d0-4696-a223-0ed3e757b347",
+ "id": "bundle--d9c9f9f7-2e19-4e0d-9d0e-cd497b5b7e53",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d8da0428-122e-4054-baee-ff85847d28fb.json b/mobile-attack/relationship/relationship--d8da0428-122e-4054-baee-ff85847d28fb.json
new file mode 100644
index 0000000000..d8ee061305
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d8da0428-122e-4054-baee-ff85847d28fb.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--d5cae4ee-d9f0-4a9a-a3ef-187660a06e13",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--d8da0428-122e-4054-baee-ff85847d28fb",
+ "created": "2025-10-08T14:35:07.786Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T16:56:25.834Z",
+ "description": "(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+ "target_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json b/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json
index db6153eaaf..a058ee1450 100644
--- a/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json
+++ b/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1358543f-6a28-427a-8d04-f532651bc529",
+ "id": "bundle--5d38c261-ffdb-405e-a5a2-5b7235ba7ebc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json b/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json
index c008d5f195..727cb222dc 100644
--- a/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json
+++ b/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d85267d-af1d-4ced-a89b-6084b94d6227",
+ "id": "bundle--83f043a3-1097-4d2f-9ac7-01e3db6d3cbb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json b/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json
index c84ae8b1b1..5618f799e4 100644
--- a/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json
+++ b/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--528b1bf7-fb3a-4095-81b5-2f5cab71dceb",
+ "id": "bundle--6fc24364-39db-4278-a97b-fb0e13fa50b9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json b/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json
index 7c0b7290f9..9ee942dca7 100644
--- a/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json
+++ b/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe2e7a17-c0c3-446e-90a3-dc6d54d0fc72",
+ "id": "bundle--d9fb3faf-3664-4c27-9f62-6bf0d10fcce4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json b/mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json
index bf3a2dd484..6de3106630 100644
--- a/mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json
+++ b/mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--edbcb57c-a74f-4491-acb8-1f0ad987ddf4",
+ "id": "bundle--8a49107b-ac48-4171-a4b0-2920d91a6658",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json b/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json
index 70d76068a4..0bf9839c66 100644
--- a/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json
+++ b/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3bef0bf-dc9b-439a-86bc-75160142e388",
+ "id": "bundle--a2e9189f-727a-4e03-adb4-33bc97a26cf6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json b/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json
index b3722b6ab6..82d10e4f84 100644
--- a/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json
+++ b/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d4d49c82-d1b7-40ba-8bb0-ed90f83e8ad2",
+ "id": "bundle--5e96d9bf-6069-4020-8926-2e940a20fd05",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json b/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json
index c8e1ea6fae..26365686d0 100644
--- a/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json
+++ b/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b76a0bc-f8b2-41bc-962e-276e1761b591",
+ "id": "bundle--41be5b86-f8cc-4161-bdd2-4d399e9568de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dae66212-1bc9-485b-8a12-64fb6ca15aa5.json b/mobile-attack/relationship/relationship--dae66212-1bc9-485b-8a12-64fb6ca15aa5.json
new file mode 100644
index 0000000000..dc3acfa128
--- /dev/null
+++ b/mobile-attack/relationship/relationship--dae66212-1bc9-485b-8a12-64fb6ca15aa5.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--4cee0c09-2d3f-4e8e-98b5-1b26c3d7467f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--dae66212-1bc9-485b-8a12-64fb6ca15aa5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4",
+ "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json b/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json
index a914cd1252..48efd24738 100644
--- a/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json
+++ b/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d0f2c907-0f39-4130-8301-473fa46f94ec",
+ "id": "bundle--d496c561-8374-4aa1-8ce3-73d07f255859",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json b/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json
index 7bcb9e7499..82190b4e86 100644
--- a/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json
+++ b/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f7373f46-c51f-49fc-b2e1-6fd368270a88",
+ "id": "bundle--271d3411-5e1d-4a5e-9827-d6fdbc9e923e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json b/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json
index 6c56ddcde5..15d04c36e6 100644
--- a/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json
+++ b/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5d6c05bd-9250-4046-aca3-723dab488edb",
+ "id": "bundle--72e893cf-c090-4575-96aa-bd68246b915e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json b/mobile-attack/relationship/relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json
deleted file mode 100644
index 9980da0a29..0000000000
--- a/mobile-attack/relationship/relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--85dba085-a862-4f3a-9d12-b8deb958ff70",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff",
- "created": "2023-09-21T22:31:55.337Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:01.375Z",
- "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json b/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json
index 279d905b23..598482ad2b 100644
--- a/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json
+++ b/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f85b5f6-a49f-495f-be4d-7723ad4a181e",
+ "id": "bundle--6a5626c1-5d4f-4b88-a5b3-ff12df28844d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json b/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json
index 0c512ecc9e..15b5bbb20e 100644
--- a/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json
+++ b/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d7148bb8-8b6c-46bd-b279-294e6fa4b862",
+ "id": "bundle--f1aca561-a2a1-4ad5-a193-7868e7ae4f3b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json b/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json
index 9c6e5c3ddf..4e313f1020 100644
--- a/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json
+++ b/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f6cf5a60-5701-4038-90c3-b40ba0ef672b",
+ "id": "bundle--cd714a7d-2401-4a44-bb16-6a9075b8e9a5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json b/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json
index d38d75d63d..e2eb000063 100644
--- a/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json
+++ b/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7cd4afe2-0a53-46de-bb46-81667e3d7dbe",
+ "id": "bundle--da55e7ff-9b3e-4cbf-a157-31080a7d06f2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json b/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json
index 6a8ffdc38a..24d78cddd5 100644
--- a/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json
+++ b/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c7395e0d-c45b-4cea-95fa-f7bd2e347df9",
+ "id": "bundle--5a8c9dbf-4129-4194-97a4-1b85672f69fe",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json b/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json
index 4f943ad487..cefe42d2f6 100644
--- a/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json
+++ b/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4eb7d7f9-ff3f-4247-af31-2f1286856433",
+ "id": "bundle--d5181588-1945-41da-98c8-3d8c2b4c296b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json b/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json
index 6fa7d2bf37..38d7138ecb 100644
--- a/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json
+++ b/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed329cec-a1a4-468d-87ec-30ef51e30f4a",
+ "id": "bundle--cba13174-9931-41be-8686-241a1af453d2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json b/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json
index 41cf87fafb..22cbb1a180 100644
--- a/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json
+++ b/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--90a1584b-20f5-4256-a465-b8995f5bab35",
+ "id": "bundle--6339c59b-deea-48d3-a873-b1765c35ddb5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json b/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json
index 72a77160a4..8185b9aa6c 100644
--- a/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json
+++ b/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3a1b5849-efcb-4219-a3ed-0c4b3ec25a78",
+ "id": "bundle--51e27915-4849-4886-bd87-a13a5b58afb8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json b/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json
index 5cd078f9dc..b01e7da9c9 100644
--- a/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json
+++ b/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0323d801-bd5f-461a-a3b7-2817d93fd62f",
+ "id": "bundle--13a88c03-f8fe-4b89-9efe-753925b35e78",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json b/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json
index 702936fa29..f217f6c1d1 100644
--- a/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json
+++ b/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ac322102-a017-40e2-bc67-a4269b962d41",
+ "id": "bundle--96703888-caa1-4602-826b-6201a184a8a4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ddfa9b6c-a2b9-46e0-9a44-fa19a9aa0101.json b/mobile-attack/relationship/relationship--ddfa9b6c-a2b9-46e0-9a44-fa19a9aa0101.json
new file mode 100644
index 0000000000..5bcdd24c0d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ddfa9b6c-a2b9-46e0-9a44-fa19a9aa0101.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--69a2b250-0322-4c70-a857-a1e87503cc62",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--ddfa9b6c-a2b9-46e0-9a44-fa19a9aa0101",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b",
+ "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json b/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json
index ceff8a7b3f..513a566184 100644
--- a/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json
+++ b/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a886bf57-06aa-49e5-97fd-9ad144b13fd5",
+ "id": "bundle--32bf5504-3fc8-40f8-a87e-6e424c0aa99d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json b/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json
index 3d13586aa8..6752aaed37 100644
--- a/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json
+++ b/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--76501672-1a4a-4a86-8935-bb72baaf3575",
+ "id": "bundle--84d2994d-9774-4e19-8291-65a230463f3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json b/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json
index e45281f81e..948ab2e016 100644
--- a/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json
+++ b/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6fecd4f5-b8d7-4e9b-ab80-8d268f7b3af0",
+ "id": "bundle--9900f077-b225-466e-acc8-b7fe64b59b6e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json b/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json
index 423aade197..c4fda1cf10 100644
--- a/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json
+++ b/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--412ef22d-929b-4b9d-9536-26142a2c14b5",
+ "id": "bundle--09cb69cc-a68a-4008-bab7-c8cc26891773",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json b/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json
index 6a89b83943..f57b3af538 100644
--- a/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json
+++ b/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2de9dd8e-9fc3-4295-afab-644f0ea2dae6",
+ "id": "bundle--9a583c92-243f-400b-8f6e-69ddd6fcdaa9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--de8f4252-d725-430c-bcd9-29225c131e6e.json b/mobile-attack/relationship/relationship--de8f4252-d725-430c-bcd9-29225c131e6e.json
new file mode 100644
index 0000000000..6543848158
--- /dev/null
+++ b/mobile-attack/relationship/relationship--de8f4252-d725-430c-bcd9-29225c131e6e.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--a00053e9-66e0-4469-927f-efc65b529636",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--de8f4252-d725-430c-bcd9-29225c131e6e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2",
+ "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json b/mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json
index 025ce9c68d..de0f48c4bc 100644
--- a/mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json
+++ b/mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b575d682-ba06-4888-b86b-792a4319f242",
+ "id": "bundle--f68d3563-deab-4b53-8f3d-e331313a33c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json b/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json
index 22eaad0258..c486a10207 100644
--- a/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json
+++ b/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--72a9dbe2-73c7-42af-8fd1-9290812add92",
+ "id": "bundle--5f5466f6-1e1e-4002-821a-56318a3b2f8f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json b/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json
index a43d80dcc3..60461fe7b0 100644
--- a/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json
+++ b/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8207b8c9-67ea-4ff1-a054-715b777a30a7",
+ "id": "bundle--92dd7faf-8efa-4ea3-90d7-87b4bdcdeaa3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json b/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json
index 6c4a00a54f..2732b80a7a 100644
--- a/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json
+++ b/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4a6ad99-cf51-4db8-82eb-9d66bb316b5d",
+ "id": "bundle--2b8cb61f-bd8f-41aa-b4e4-a1673e0f0bd9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json b/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json
index 2380e926a9..c722063bee 100644
--- a/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json
+++ b/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1e414871-02fd-47b3-9c59-972767b5f843",
+ "id": "bundle--316d29dc-2fdc-4943-9d23-ccfa180bc883",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json b/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json
index 82d12b7996..4bac9e6988 100644
--- a/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json
+++ b/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9177346b-3f92-4984-81ee-0c6ac2296b3c",
+ "id": "bundle--0cc5ddd1-c906-4868-a0a8-025d6b6b134a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json b/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json
index ec1f9a55d6..1e03ae5d2f 100644
--- a/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json
+++ b/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1cc04d7e-b9e3-4e66-9922-2df454ed33d9",
+ "id": "bundle--2cb08a85-444f-4a73-ad05-67ddaa56f8d6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json b/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json
index 4250467a88..748d563e8a 100644
--- a/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json
+++ b/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1b0239ea-6e18-42d8-bb63-0211b9bac510",
+ "id": "bundle--f9854a9a-b808-41d2-b6b4-5bcdf9593721",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json b/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json
index 68c93c0511..62f99dbe99 100644
--- a/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json
+++ b/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--49d79066-aa15-428e-8c63-d082a7829d95",
+ "id": "bundle--ae262618-1dbb-43cf-ab14-a9768ac0a214",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e012da15-7669-4764-ad9d-8a1d817bcca9.json b/mobile-attack/relationship/relationship--e012da15-7669-4764-ad9d-8a1d817bcca9.json
deleted file mode 100644
index 758b35d147..0000000000
--- a/mobile-attack/relationship/relationship--e012da15-7669-4764-ad9d-8a1d817bcca9.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--8eef7cb2-231a-4eb4-aa55-6e69d4190065",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--e012da15-7669-4764-ad9d-8a1d817bcca9",
- "created": "2023-03-20T18:23:04.068Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:07.279Z",
- "description": "Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json b/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json
index 37ccbf299a..24161b67b8 100644
--- a/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json
+++ b/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--25a5bfdd-71f2-4626-9273-24cd3adedbd2",
+ "id": "bundle--a4e7715f-2e84-4af9-8ab1-6cb2c70c5bb0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json b/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json
index 2b695381fb..ea061101ca 100644
--- a/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json
+++ b/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2cd69a97-dc6a-487c-94e9-89184a5679ae",
+ "id": "bundle--8e3bf1aa-dc77-4518-803f-3d3c52ee4369",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json b/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json
index 3131be4d78..757338c5bf 100644
--- a/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json
+++ b/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--09f396aa-d63a-4972-9ef6-42928bc913a6",
+ "id": "bundle--2a822f10-013f-44dc-b7df-cce8b94fd554",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json b/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json
index 069290ccfe..60327b025f 100644
--- a/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json
+++ b/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--635bd814-6a90-4f76-a609-1602382a8ab5",
+ "id": "bundle--aade9802-a305-4b99-b597-ab1296d80e13",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json b/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json
index be4473ccfc..2179e91e0b 100644
--- a/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json
+++ b/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--75b527d3-c3b5-4513-8f7c-2b98ec46a19e",
+ "id": "bundle--5da905f5-625b-4c03-be3b-bf267e4d511d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json b/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json
index d14a912da1..189e47a674 100644
--- a/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json
+++ b/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4156b6c7-3002-4ef0-86a8-f81673e78e7f",
+ "id": "bundle--939a37e5-4016-4821-a551-c0b1ec7ed5b6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json b/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json
index 2c2a418ea3..1db3d613a5 100644
--- a/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json
+++ b/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--78a6152d-c678-4eb8-819d-e1ddd4e210e4",
+ "id": "bundle--442ba3ea-5691-44ae-89b3-36877a219436",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36.json b/mobile-attack/relationship/relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36.json
deleted file mode 100644
index 3c476b4392..0000000000
--- a/mobile-attack/relationship/relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--711da3d3-b581-41bc-8ecd-01ed90b9d118",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36",
- "created": "2023-03-20T18:41:31.300Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:08.872Z",
- "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
- "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e1a94e63-733b-4d2b-8731-4abc11a1be9d.json b/mobile-attack/relationship/relationship--e1a94e63-733b-4d2b-8731-4abc11a1be9d.json
new file mode 100644
index 0000000000..aa6bf31dc3
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e1a94e63-733b-4d2b-8731-4abc11a1be9d.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--0e7f6167-a63b-4a1e-a721-df0964994ec9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--e1a94e63-733b-4d2b-8731-4abc11a1be9d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72",
+ "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json b/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json
index eac8acf25c..b994b26ce5 100644
--- a/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json
+++ b/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1dfb6285-0028-4cfb-b5f5-4afb5f0ec9f8",
+ "id": "bundle--ae362828-bfe2-4e37-8b1f-071cd72fca87",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e2128a08-dc84-4a1e-a090-172b4591ea6f.json b/mobile-attack/relationship/relationship--e2128a08-dc84-4a1e-a090-172b4591ea6f.json
new file mode 100644
index 0000000000..6305665609
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e2128a08-dc84-4a1e-a090-172b4591ea6f.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--39282210-e2a2-409d-b5c7-2cc8a3fbb6ab",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--e2128a08-dc84-4a1e-a090-172b4591ea6f",
+ "created": "2025-10-08T14:37:17.378Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:37:17.378Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has accessed the device\u2019s call log.(Citation: Lookout_DCHSpy_July2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json b/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json
index b67d8a111a..372c057bb6 100644
--- a/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json
+++ b/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3dbb124-29e0-42dd-9eec-21dd10fdd01a",
+ "id": "bundle--2b46ed2e-fbbe-4420-8aa0-4d8e1f0968b0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json b/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json
index 6be5a724b7..6bfa197210 100644
--- a/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json
+++ b/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7cdb3d56-996f-4cee-b4e7-17264801da13",
+ "id": "bundle--2699e8ce-904b-44ee-8571-158806959a00",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json b/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json
index 36fda70a94..fb53d57001 100644
--- a/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json
+++ b/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5420f53f-22fc-4fb0-8717-f094817c6636",
+ "id": "bundle--9767f168-a517-4443-9505-df8060a4108a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json b/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json
index c013e93663..8e9e0cf922 100644
--- a/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json
+++ b/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8d4b9239-64df-4816-b92c-601f922f0acb",
+ "id": "bundle--f57a4c61-4e79-432f-8937-fa0e8b6448d9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a.json b/mobile-attack/relationship/relationship--e2aa5d54-6a01-48bb-9408-9f9ae00b702c.json
similarity index 54%
rename from mobile-attack/relationship/relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a.json
rename to mobile-attack/relationship/relationship--e2aa5d54-6a01-48bb-9408-9f9ae00b702c.json
index d05ff826f5..ae6416d01d 100644
--- a/mobile-attack/relationship/relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a.json
+++ b/mobile-attack/relationship/relationship--e2aa5d54-6a01-48bb-9408-9f9ae00b702c.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--474db49e-9e91-4190-b21e-67b04b430db0",
+ "id": "bundle--9cf621a5-163f-4c48-a520-4f7422eb1342",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a",
- "created": "2023-03-20T18:44:36.073Z",
+ "id": "relationship--e2aa5d54-6a01-48bb-9408-9f9ae00b702c",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:24.260Z",
- "description": "The user can view and manage installed third-party keyboards.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "source_ref": "x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json b/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json
index 880de6c7bf..8e85436b26 100644
--- a/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json
+++ b/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7ad74ce5-969e-43dd-b278-a7230b1cc5a5",
+ "id": "bundle--c2511579-ffa4-439f-8764-02346756e24d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json b/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json
index ada26de745..9e4671c5a6 100644
--- a/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json
+++ b/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d144e205-8ed0-443a-b0cf-1cdbbaa8440d",
+ "id": "bundle--23d3ac88-dc64-4296-b24e-665486d0430f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json b/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json
index 41455b9283..4875ddd8e4 100644
--- a/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json
+++ b/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--54b9d839-8fdf-4a29-9030-d128603e9783",
+ "id": "bundle--201ff443-e501-4400-afbe-61552fbe9baa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e3394db9-1cb6-4b7b-9b7e-0e6d15245737.json b/mobile-attack/relationship/relationship--e3394db9-1cb6-4b7b-9b7e-0e6d15245737.json
new file mode 100644
index 0000000000..5d6f719a81
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e3394db9-1cb6-4b7b-9b7e-0e6d15245737.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--e8d27ccf-eb41-4baf-b242-791e735a93da",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--e3394db9-1cb6-4b7b-9b7e-0e6d15245737",
+ "created": "2025-10-08T14:40:19.684Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:40:19.684Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has collected files of interest on the device, including WhatsApp files.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e33c48aa-e5b2-46b0-a82d-31f5c1faeb53.json b/mobile-attack/relationship/relationship--e33c48aa-e5b2-46b0-a82d-31f5c1faeb53.json
new file mode 100644
index 0000000000..3a46861777
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e33c48aa-e5b2-46b0-a82d-31f5c1faeb53.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--70b92c54-c914-4540-a394-e28dc2ec24a7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--e33c48aa-e5b2-46b0-a82d-31f5c1faeb53",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1",
+ "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json b/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json
index 79fbafc24f..90d5a17c4f 100644
--- a/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json
+++ b/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ce59356f-7aa5-4162-8925-f3c3f941c917",
+ "id": "bundle--45af0a60-1030-49c2-b9cf-96f060ec4856",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json b/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json
index d36ee3c543..772957e27d 100644
--- a/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json
+++ b/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cbb4fd69-725d-40c9-9de7-c18d75ba0458",
+ "id": "bundle--d6d2a0c8-61dd-4b1f-a2c0-d2d85da2f7ce",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json b/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json
index 8a349a5cab..7acb45788d 100644
--- a/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json
+++ b/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--75f23398-2892-42a9-8ce7-5b55bc8f6cda",
+ "id": "bundle--d6a6e736-05dd-41c9-9051-644555720122",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json b/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json
index 3ac77b3c81..c115552492 100644
--- a/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json
+++ b/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0c0d32b3-b6a9-44ee-a847-eb49473074d4",
+ "id": "bundle--997cbaa7-abcc-493d-aac0-8cdf95cf5833",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json b/mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json
index bbcb81422e..8dffb13e19 100644
--- a/mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json
+++ b/mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7bea7014-a7fd-4d3d-863d-e7e8df33c4c1",
+ "id": "bundle--885eca0c-ff90-46f8-8b40-9c1150158191",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json b/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json
index 54db3670af..8ca54e8779 100644
--- a/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json
+++ b/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--38bec301-3260-4f02-9eca-3769ba5d5d10",
+ "id": "bundle--d871d34e-0477-4c8f-9201-37cd0b12ac18",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json b/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json
index e36ee7e80d..5bff4056ec 100644
--- a/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json
+++ b/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a5a9bc56-98bf-48f9-8805-94f469496a17",
+ "id": "bundle--505f7970-5cf9-48fc-8102-9902a279704c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json b/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json
index 74d7f4f0f5..fb44eedbf1 100644
--- a/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json
+++ b/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--47ffb693-b0e7-4c6a-8afa-7ea294c41786",
+ "id": "bundle--db4b5bab-4d4c-44de-ae4e-e407bcce6ffe",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json b/mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json
index 2a6ce942f8..7b3b3c5c6d 100644
--- a/mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json
+++ b/mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f0cbcdae-cb2c-4a2f-a257-d594649f5aec",
+ "id": "bundle--e28d100d-f82f-4b61-82c5-dfe228d4f7fd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json b/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json
index ed98f26b8b..4327e5ea57 100644
--- a/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json
+++ b/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--72a409c0-b502-4212-b382-3bbe5b348044",
+ "id": "bundle--605346fd-4aa0-4671-bf0b-549f1b8b46d8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json b/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json
index 5e5a0d735c..c3df719c33 100644
--- a/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json
+++ b/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cd87b198-5175-492b-b957-6bf6021b49ae",
+ "id": "bundle--403e1d04-9748-41ac-818b-75f4c51732e1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json b/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json
index 88671c5177..5b58d8852b 100644
--- a/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json
+++ b/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--22fb0e60-c7e1-482b-968b-026b89dbd252",
+ "id": "bundle--ab8b4937-23da-45fc-b69c-b837e8292375",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json b/mobile-attack/relationship/relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json
deleted file mode 100644
index d9c88adcd8..0000000000
--- a/mobile-attack/relationship/relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--34da9af6-8465-442a-b803-5c5aea5f3af3",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8",
- "created": "2023-03-20T18:56:24.246Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:13.171Z",
- "description": "Application vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json b/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json
index 44084dab11..03e1ef3cc2 100644
--- a/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json
+++ b/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4254d845-c5f1-41c7-b13f-593389ff760b",
+ "id": "bundle--c5469356-6606-4412-86f4-f2a32290b22e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json b/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json
index 9e90ded00b..e15cd983a9 100644
--- a/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json
+++ b/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--29c617fb-0cdb-4bcc-96df-15982f4596c3",
+ "id": "bundle--9a69c879-d893-4761-b84b-7532bd9d6358",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json b/mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json
index 2afe6f83f2..eac6305064 100644
--- a/mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json
+++ b/mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--82b3c387-d29a-4b72-acff-e36d344151b1",
+ "id": "bundle--fba3b124-1b03-404b-918e-ace9238a9bea",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json b/mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json
index 03cbc7c29d..d9fa0c091f 100644
--- a/mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json
+++ b/mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--84f2fad2-9e48-4077-8ded-b3ae001779ef",
+ "id": "bundle--4b31ab5c-eda3-4819-93fe-ac3a03fe2799",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e56b94c0-eb5a-4597-b961-523971d84a73.json b/mobile-attack/relationship/relationship--e56b94c0-eb5a-4597-b961-523971d84a73.json
new file mode 100644
index 0000000000..3f5cda1a30
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e56b94c0-eb5a-4597-b961-523971d84a73.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--ab9f0d73-2223-4289-a021-25f6eb5315a0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--e56b94c0-eb5a-4597-b961-523971d84a73",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620",
+ "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json b/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json
index 2f8d4c784b..f544b34415 100644
--- a/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json
+++ b/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--402179bc-84f6-4db8-803d-daa75dec4498",
+ "id": "bundle--48624e07-bddb-458e-b37e-e2f129cd4240",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json b/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json
index 612db6564d..9088015082 100644
--- a/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json
+++ b/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94290e31-0dd6-48d7-9182-d32b0dbd1ae4",
+ "id": "bundle--9caccd8d-4346-4ef4-81f1-d179a3d18b01",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json b/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json
index aac97b6b25..0b168cd2ee 100644
--- a/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json
+++ b/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e550c80-bfca-43c5-b1b6-162f633eb024",
+ "id": "bundle--66846ea2-a004-452d-b94f-bff2c883c4dd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json b/mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json
index 228910116b..b0199a632f 100644
--- a/mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json
+++ b/mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--99318e30-e827-40e7-ab48-6740b1d0daab",
+ "id": "bundle--f0bf7ea0-9681-434e-a3b9-ab5a02ce0989",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3.json b/mobile-attack/relationship/relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3.json
deleted file mode 100644
index cf69409099..0000000000
--- a/mobile-attack/relationship/relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--febe2afc-e9ee-47f1-a8fd-53db3917df52",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3",
- "created": "2023-03-16T13:32:02.290Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:15.008Z",
- "description": "Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json b/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json
index f528a51662..2a2255925a 100644
--- a/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json
+++ b/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4499e6bc-68f8-4bff-8acf-7801d2a561a1",
+ "id": "bundle--b49d0b8f-b7a2-4112-90b1-a6de46cbdcfc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json b/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json
index e311917b92..baf5f2bc32 100644
--- a/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json
+++ b/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--01af5456-fb2b-4141-9b1c-c07adb260614",
+ "id": "bundle--661ebb2b-3391-44c1-bc83-8bea886dfdad",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json b/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json
index 373a89b6cd..8cdcc52b97 100644
--- a/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json
+++ b/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9c8dfe4f-c6fa-4269-bbfd-759f6b79f9f5",
+ "id": "bundle--63210794-476f-42b3-a106-8c0950f754c2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json b/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json
index 7efe784c91..453a187a45 100644
--- a/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json
+++ b/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf50e8ce-d627-496e-8cce-66627a917448",
+ "id": "bundle--3932b8fa-f053-4325-9a52-8260f3d3e38b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json b/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json
index 1661714881..2754e19273 100644
--- a/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json
+++ b/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d368f09-0874-4e5b-8d54-2a7f68e3390a",
+ "id": "bundle--4f9a2192-b531-484b-9b5c-50f1b1b3831c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e7d6a883-2f2b-41e7-954e-7888a65a6f42.json b/mobile-attack/relationship/relationship--e7d6a883-2f2b-41e7-954e-7888a65a6f42.json
new file mode 100644
index 0000000000..568b7297a7
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e7d6a883-2f2b-41e7-954e-7888a65a6f42.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--1b13d6be-41e8-483b-83bb-5a5aa5b3c138",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--e7d6a883-2f2b-41e7-954e-7888a65a6f42",
+ "created": "2025-06-25T15:36:36.311Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:36:36.311Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has displayed masqueraded wallet applications if the EnabledUIMode field is set to `true`. [CherryBlos](https://attack.mitre.org/software/S1225) has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to `true`. The withdrawal transaction is ultimately transferred to the threat actor\u2019s controlled address.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json b/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json
index 492ff564fc..a5c4311060 100644
--- a/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json
+++ b/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--291e6bde-a1ee-4eda-8881-fc7b5e67d0e7",
+ "id": "bundle--e58f8741-91e9-4f32-8340-e4659c11d034",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json b/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json
index ce5dd4b5a6..9aecbd3b44 100644
--- a/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json
+++ b/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cb5bca9d-6a45-4174-a763-9321229daed8",
+ "id": "bundle--b82a85dc-4dfc-4162-bdce-d23cff297691",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json b/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json
index 8b5686b174..bb2a741d3b 100644
--- a/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json
+++ b/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab624dea-7650-49f2-91ad-96a62208ce1a",
+ "id": "bundle--7bf37bc6-9a6e-4b95-a332-909892c4aadd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json b/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json
index af44703788..c1ef111e29 100644
--- a/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json
+++ b/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--95eb8df8-78b4-49f9-b3a4-cba9ec9dcc3d",
+ "id": "bundle--361b6f19-9474-4ff9-a338-ea7de129b463",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json b/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json
index 0838e38844..9230e8b476 100644
--- a/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json
+++ b/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6886fc5d-65e6-4ec1-984f-e1d5ec821600",
+ "id": "bundle--c050dcb3-3918-4b68-946f-19c99176a9ff",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json b/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json
index 345ff55fb7..f879a01ec0 100644
--- a/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json
+++ b/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0cbfd3ea-05c9-4ca5-83a1-ee8b5c7f6359",
+ "id": "bundle--1507a283-ac3e-4364-9f93-5e4ae0862f42",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json b/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json
index 50e89c5b60..8509327de2 100644
--- a/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json
+++ b/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e652ae36-f3ef-47fa-9980-22fad58b8a15",
+ "id": "bundle--d3ce750d-4de3-4228-b88f-02f38451d9d0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json b/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json
index 35ad4f5735..535f3409f8 100644
--- a/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json
+++ b/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fa6021d3-9454-4067-ab48-d02a58efde81",
+ "id": "bundle--593cc909-e3bd-4b01-bae4-57f1b1033f67",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json b/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json
index 3eb0ff2e9a..18eee3b067 100644
--- a/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json
+++ b/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f870076-71b6-4c28-9127-7654184fbbbe",
+ "id": "bundle--dc1dd7c5-0fe6-45b9-bf2b-2f5808e83d83",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json b/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json
index aec133f8d4..dbbe7d1900 100644
--- a/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json
+++ b/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a197422e-03f8-4240-8863-a18e3cd44411",
+ "id": "bundle--23d6fb4b-dd0a-4466-9f16-67e775274edc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json b/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json
index 58c01a6a58..a63d405ff6 100644
--- a/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json
+++ b/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ce7b8697-c6ec-4005-b692-5518eb462ab4",
+ "id": "bundle--181798dc-cb7e-40a4-9732-d8cd6a9f6914",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json b/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json
index f50fb6dce7..e9a43a1985 100644
--- a/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json
+++ b/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1b89bae9-15b5-45c0-9a66-fa80c0989901",
+ "id": "bundle--81e62d4c-af27-4081-9b3c-9072836056b8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc.json b/mobile-attack/relationship/relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc.json
deleted file mode 100644
index 20fd84191d..0000000000
--- a/mobile-attack/relationship/relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--4c8e1d7a-7135-401b-b449-c99081ae2d48",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc",
- "created": "2023-03-20T18:49:38.917Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:18.914Z",
- "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json b/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json
index 73dbab294e..f088238308 100644
--- a/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json
+++ b/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0eb91826-1d03-4785-9395-b201c6b402f2",
+ "id": "bundle--8f20bcdf-e6ab-4a5d-82aa-e10bda722274",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ea8cfefa-f4b5-464a-b4b8-9e3aa587316c.json b/mobile-attack/relationship/relationship--ea8cfefa-f4b5-464a-b4b8-9e3aa587316c.json
new file mode 100644
index 0000000000..8e9e25a7fb
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ea8cfefa-f4b5-464a-b4b8-9e3aa587316c.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--2e938b12-344e-4582-8751-7c0bb74a77e0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--ea8cfefa-f4b5-464a-b4b8-9e3aa587316c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee",
+ "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json b/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json
index 06cf493ffa..fac5b90013 100644
--- a/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json
+++ b/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c43d5f79-5ecd-4374-a8ad-f8a56d7d28b9",
+ "id": "bundle--5b8d4922-dca3-470c-95b0-30343cd03645",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json b/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json
index c819bef230..5e09cccd5d 100644
--- a/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json
+++ b/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4c2dc5ef-f6ac-498b-bef8-1492c3cec2e9",
+ "id": "bundle--79dc23d6-3697-4ed0-a64a-b8fc767c4622",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json b/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json
index 76963a98c5..5f3667ac0f 100644
--- a/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json
+++ b/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cd34e111-cc62-48a8-9030-8c820f15e2f0",
+ "id": "bundle--f4116e46-4559-444c-ae51-72f1c3bae1c5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json b/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json
index 301edc17c2..6da4a5dd8d 100644
--- a/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json
+++ b/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--60e6ddf4-67fd-41f2-a3a8-87009e9cd925",
+ "id": "bundle--49691f19-df1d-40b4-ae9d-f85dd64c58d8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json b/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json
index a6128d8a40..f1a535e1bf 100644
--- a/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json
+++ b/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--17025ee8-d462-470a-8e6d-9d403f6c5e95",
+ "id": "bundle--69d6d62c-38a1-4d8f-8e7b-1ef8ca68764a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json b/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json
index 7b08edd3cf..02b529f6d9 100644
--- a/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json
+++ b/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a90fb566-14b6-4389-ae9a-c1c5b8169e64",
+ "id": "bundle--bd699661-fc8b-4786-aac3-eac926f72cd7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json b/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json
index 20df39ee5b..ae23d4df7a 100644
--- a/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json
+++ b/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d88cbd3a-870d-4a8e-a444-99ccd4e76eb9",
+ "id": "bundle--3f19fa4e-ee0f-477f-a990-1cf64efbbf95",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json b/mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json
index f3df717c3a..d5d3064546 100644
--- a/mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json
+++ b/mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d71844cd-7ddc-4deb-8c3f-4b8f55c516d5",
+ "id": "bundle--ce5208e1-9096-4993-a65c-4fa874bea10f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json b/mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json
index 0533a4388e..b4a87e3c71 100644
--- a/mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json
+++ b/mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62b38335-e362-4bac-9d38-e9a4bf396048",
+ "id": "bundle--ed04c909-40e6-48c6-a217-3357512098c7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json b/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json
index eab276bd28..d377093c74 100644
--- a/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json
+++ b/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eeb0fc25-cc3e-4dfa-b312-4f64366b6a76",
+ "id": "bundle--85518c9e-394d-4486-bc3e-43f290480b6c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json b/mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json
index 280b2853fa..18eec537f1 100644
--- a/mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json
+++ b/mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--83d6ea97-720f-4cd0-9dfe-fc4d07817451",
+ "id": "bundle--43d90ab9-9139-403c-8b06-1d1bf72706bb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json b/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json
index 5e146671c9..7ced916a19 100644
--- a/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json
+++ b/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f7aef2c2-6dae-434c-b0d2-ec8a47a4fe40",
+ "id": "bundle--db239ca5-2535-4b4d-9856-a355ca91d97b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json b/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json
index 4e8f37ec5f..3e69b39348 100644
--- a/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json
+++ b/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--624f792a-3e70-4015-b939-67cb6b9fc9ce",
+ "id": "bundle--c0622c47-9102-4c6f-a45a-b666a4fa1c83",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json b/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json
index 08fa3da8d5..eaeaabb713 100644
--- a/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json
+++ b/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--71a67a83-6dee-4d1b-a893-57986b9741c2",
+ "id": "bundle--d55218c8-03a4-48cf-b49b-97b6a8fb1cd8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json b/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json
index 987ab95061..ee85d4ebd6 100644
--- a/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json
+++ b/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--44dfe6d9-322a-4a4f-b745-642a980a4895",
+ "id": "bundle--b2de54dd-810f-4312-abc4-746043848a77",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json b/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json
index 2f0a2c19cd..1fd9861492 100644
--- a/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json
+++ b/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--836e2173-24a5-4286-8b93-579b2a6b4136",
+ "id": "bundle--d8501785-85dc-43d4-808d-931cb23c579c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json b/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json
index 54ba6ebf2b..c78b494de9 100644
--- a/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json
+++ b/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--69b301dc-001a-4fb7-a7cf-20f91e51c18a",
+ "id": "bundle--937ef5ac-0d70-418b-8231-7c8f1982d861",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json b/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json
index 9187bd0583..477e57dacd 100644
--- a/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json
+++ b/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3033222-ee09-49e1-931a-5f52f1679121",
+ "id": "bundle--a108e33a-a5a0-4641-9533-79b2c39919fd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ed7e9368-004c-484f-9eed-03b158325564.json b/mobile-attack/relationship/relationship--ed7e9368-004c-484f-9eed-03b158325564.json
deleted file mode 100644
index 58669fbc5b..0000000000
--- a/mobile-attack/relationship/relationship--ed7e9368-004c-484f-9eed-03b158325564.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7d55cdcd-2d87-44ed-8b50-2e87338362ae",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--ed7e9368-004c-484f-9eed-03b158325564",
- "created": "2023-03-20T18:54:40.401Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:23.379Z",
- "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json b/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json
index c8c259d8ce..a1d287f961 100644
--- a/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json
+++ b/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--03d84c59-6420-42f7-8f19-2657d6a4a1f2",
+ "id": "bundle--83f4f7c3-263f-48e4-9cb5-aeb4b40e8f95",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json b/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json
index caab42f9df..c631a07d1f 100644
--- a/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json
+++ b/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4da8e46-3195-4e2f-96f7-1c36a4a01ecc",
+ "id": "bundle--978e61f7-cbe3-4c66-a909-ee9043af948a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--edf7417d-d559-4423-b169-b2b2b33fcb76.json b/mobile-attack/relationship/relationship--edf7417d-d559-4423-b169-b2b2b33fcb76.json
new file mode 100644
index 0000000000..b376e7e16e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--edf7417d-d559-4423-b169-b2b2b33fcb76.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--7cf1042e-80ef-4c2f-9ccb-b59e1c9a15db",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--edf7417d-d559-4423-b169-b2b2b33fcb76",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5",
+ "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--edf758e1-600e-4b7e-94eb-6c76b9a5ca6a.json b/mobile-attack/relationship/relationship--edf758e1-600e-4b7e-94eb-6c76b9a5ca6a.json
new file mode 100644
index 0000000000..c60aaab72f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--edf758e1-600e-4b7e-94eb-6c76b9a5ca6a.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--d642e7c4-ff89-4098-9507-cf20ac07b8a3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--edf758e1-600e-4b7e-94eb-6c76b9a5ca6a",
+ "created": "2025-10-08T14:36:15.827Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Lookout_DCHSpy_July2025",
+ "description": "Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.",
+ "url": "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-08T14:36:15.827Z",
+ "description": "[DCHSpy](https://attack.mitre.org/software/S1243) has masqueraded as legitimate applications, such as VPN and banking applications.(Citation: Lookout_DCHSpy_July2025) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6d5c257d-e6de-4c95-a7e8-09ac9386007d",
+ "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json b/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json
index ef9b10738d..aed288a1e6 100644
--- a/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json
+++ b/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4c4377bc-a496-4a2b-a2cd-4986a5be9b28",
+ "id": "bundle--13ec389b-6e8f-49b7-9a22-b266250fa65c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json b/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json
index 5dd133007b..f02d205de1 100644
--- a/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json
+++ b/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7b7f7314-4827-4b73-abd2-b7233a09cced",
+ "id": "bundle--a0d7f127-1cc2-4999-8499-34281ac1ac22",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json b/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json
index b16c302add..e1e0640d33 100644
--- a/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json
+++ b/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--092813be-a1fe-46e7-8145-c0329359ce6a",
+ "id": "bundle--08ce3a75-3bfd-4e4c-8ab3-01a962444ecf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json b/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json
index 60c997722d..5c2552bfea 100644
--- a/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json
+++ b/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--faee2d8e-7938-405c-aa25-d2a9d59798e3",
+ "id": "bundle--13e0463e-49fa-49bf-95b2-e59e2d49d098",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json b/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json
index 26ab5c8bf8..a608b61c2b 100644
--- a/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json
+++ b/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f599a5aa-bfb1-4874-bcd3-666a363c0825",
+ "id": "bundle--11478d11-97d9-41eb-bf24-48a9f130a004",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json b/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json
index 1d8badf631..5d6f3405e5 100644
--- a/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json
+++ b/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--201f9925-c449-45c5-bcbb-51ed3431c3a9",
+ "id": "bundle--048e1c5c-9b40-4cd6-af3e-48af5a7a4b32",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json b/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json
index a12961d6e3..75645c5917 100644
--- a/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json
+++ b/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--02475a51-212f-4856-9d73-668bd19bedf9",
+ "id": "bundle--22f32e78-88be-43c1-a04c-ce9fcb8e326b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json b/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json
index 081ad7a514..64a2d6f407 100644
--- a/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json
+++ b/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6af164c5-2dc0-4084-a945-7b09ec89c79e",
+ "id": "bundle--8d407c2c-4314-43af-b338-da9bc94bc4bd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json b/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json
index 3b22bf1072..fe3a85bab1 100644
--- a/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json
+++ b/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7bd2d282-ee6b-4db1-b993-b8b22be49a87",
+ "id": "bundle--bdbb513d-c4a1-45f2-bb32-3ae768c62f90",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json b/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json
index 8c4c60f506..1555c5046e 100644
--- a/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json
+++ b/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--493074a4-e0d6-4f4b-aaf8-602dd5a2a434",
+ "id": "bundle--6972671a-f29f-4e5c-8e62-befd0701dc78",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json b/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json
index b319855b5a..9c0ce69f03 100644
--- a/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json
+++ b/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d0e5d620-e91c-4d0d-bc8c-0dbe361ab372",
+ "id": "bundle--5b1c6918-08a5-48db-9cbd-b522f7d48f74",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd.json b/mobile-attack/relationship/relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd.json
deleted file mode 100644
index 7d70f4e536..0000000000
--- a/mobile-attack/relationship/relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7c3c1388-45fb-4a2b-ac8e-6dbf56089ec9",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd",
- "created": "2023-03-20T18:51:58.152Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:26.424Z",
- "description": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json b/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json
index 0f04daa250..6980d7156d 100644
--- a/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json
+++ b/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--945beb25-acd2-4dd2-934f-47a12c78c98a",
+ "id": "bundle--52ded8bd-536d-4ad3-a556-b4325d55ff64",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json b/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json
index 8a2f395152..3eb790e3fb 100644
--- a/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json
+++ b/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cd60f5cf-8aec-46f3-af72-db500492a2d9",
+ "id": "bundle--27f6a124-1381-4fda-b8c0-a3763021c15a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json b/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json
index 4cb8035705..9ba5be00d8 100644
--- a/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json
+++ b/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3aaf89a0-a4da-4a3d-9694-dbda430c8e95",
+ "id": "bundle--d9e1df7b-af0d-4fcc-b4d7-23428097db6b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json b/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json
index 0f11fa6e59..d2b6acc3d6 100644
--- a/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json
+++ b/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cf9c8a0d-850e-4a6d-ba7b-d6a25b12a535",
+ "id": "bundle--a6a2680c-3e86-4af0-ac98-38ca822170fb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json b/mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json
index 0189a62742..23b3358afc 100644
--- a/mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json
+++ b/mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fa038922-6cb4-4dcf-a14a-68d99aeea630",
+ "id": "bundle--f7855096-69b3-488d-99f9-30a5ae22808b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json b/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json
index 41530b5b2d..6e6f3f866d 100644
--- a/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json
+++ b/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f6d1fcb-121c-4a83-b09e-482e1ae568ed",
+ "id": "bundle--dacf8983-4cf1-404d-b0a2-15b48aa56424",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json b/mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json
index 78ee3550c3..09a1dca5cd 100644
--- a/mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json
+++ b/mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13d5fb62-c67c-404d-856e-93ea3d044f89",
+ "id": "bundle--7ed4c70a-dc0c-4d70-af42-763b68086a4e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--def81edd-4410-47b2-a80f-d47b3f353f54.json b/mobile-attack/relationship/relationship--f2274210-22bd-4ca4-887d-691e1370c85b.json
similarity index 51%
rename from mobile-attack/relationship/relationship--def81edd-4410-47b2-a80f-d47b3f353f54.json
rename to mobile-attack/relationship/relationship--f2274210-22bd-4ca4-887d-691e1370c85b.json
index 178be8a175..e559619994 100644
--- a/mobile-attack/relationship/relationship--def81edd-4410-47b2-a80f-d47b3f353f54.json
+++ b/mobile-attack/relationship/relationship--f2274210-22bd-4ca4-887d-691e1370c85b.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--24d5608b-7da8-45f1-93be-b4638f6ae889",
+ "id": "bundle--0c9ea800-0b27-498b-9e0e-ee874b15ec84",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--def81edd-4410-47b2-a80f-d47b3f353f54",
- "created": "2023-03-16T18:27:42.656Z",
+ "id": "relationship--f2274210-22bd-4ca4-887d-691e1370c85b",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:05.390Z",
- "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85",
"target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json b/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json
index 6ef05d7d4a..65e02ae746 100644
--- a/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json
+++ b/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e142cc7a-4dcb-4dcf-8666-bd9473b056d2",
+ "id": "bundle--9eb90073-ee87-4636-b95d-f011ad31941f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json b/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json
index 3c51a5a930..9f6840653b 100644
--- a/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json
+++ b/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--736c812d-d8b7-45e2-983f-35d85903920e",
+ "id": "bundle--4f3f94ad-aa7e-42cc-92d4-cadd72dbfb59",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json b/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json
index 5bec0be59e..17697a95b0 100644
--- a/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json
+++ b/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9971e600-2aae-4aea-be76-43fd857e655f",
+ "id": "bundle--433aafd2-761f-4edd-981a-13bbbd856e41",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json b/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json
index 54cb385408..668a4a863e 100644
--- a/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json
+++ b/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b3faf219-05fd-4d4c-a8e5-f427e0ef95dd",
+ "id": "bundle--304574b6-0bc5-462b-b18f-19713afb4d9a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json b/mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json
index ae6b66a199..8122296013 100644
--- a/mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json
+++ b/mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--29312955-3688-4df5-89d8-d518427b7361",
+ "id": "bundle--37c28aa8-e49b-44e7-9cc5-e3cd13021c35",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json b/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json
index bc93bd2c10..12f4cd1ef7 100644
--- a/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json
+++ b/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b767488-1831-4be2-b7d7-61446a010e0b",
+ "id": "bundle--7328d691-ba04-4bad-b479-68304d8c8dd7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json b/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json
index 7a39cdbd07..1d3b15e261 100644
--- a/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json
+++ b/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b137bf0-d6f3-4ec1-9259-4dda29913f26",
+ "id": "bundle--d7b153a9-990f-4bf6-9a83-fba9d3092d53",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json b/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json
index 8d39b3caa0..feb705a69f 100644
--- a/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json
+++ b/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b9a73bd-9ca4-49b1-8cba-9b5b6e0e4c80",
+ "id": "bundle--cecd256f-9ef8-4623-abbc-5f7fa81ee68e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f3c5d1a4-406d-47cc-8152-77bfbe5edaaf.json b/mobile-attack/relationship/relationship--f3c5d1a4-406d-47cc-8152-77bfbe5edaaf.json
new file mode 100644
index 0000000000..711b1a37ee
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f3c5d1a4-406d-47cc-8152-77bfbe5edaaf.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--2174356d-2878-4aa9-a2dc-f6fd2afb801d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--f3c5d1a4-406d-47cc-8152-77bfbe5edaaf",
+ "created": "2025-09-18T14:37:50.850Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:37:50.850Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has captured audio from the device.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json b/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json
index 690369dc40..afa2976d27 100644
--- a/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json
+++ b/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--97835ac1-725a-4991-94d8-c517c5a2787d",
+ "id": "bundle--a8edf39c-21d6-4c96-8fa8-1d0c347ed4de",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f42a3f60-103f-4b7a-b682-a03f76f3f028.json b/mobile-attack/relationship/relationship--f42a3f60-103f-4b7a-b682-a03f76f3f028.json
new file mode 100644
index 0000000000..1ed1cf43d4
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f42a3f60-103f-4b7a-b682-a03f76f3f028.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--9eda38b7-0ae4-40af-a1b2-6d848e654f5f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--f42a3f60-103f-4b7a-b682-a03f76f3f028",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac",
+ "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f44f18d4-4595-4277-9d1e-dd5be6d07a80.json b/mobile-attack/relationship/relationship--f44f18d4-4595-4277-9d1e-dd5be6d07a80.json
new file mode 100644
index 0000000000..c4e9b140e4
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f44f18d4-4595-4277-9d1e-dd5be6d07a80.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--c0d71d79-dcd8-42b0-aa80-bcfb3268529d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--f44f18d4-4595-4277-9d1e-dd5be6d07a80",
+ "created": "2025-06-25T15:35:33.315Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:35:33.315Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has received configuration files from the C2 server.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json b/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json
index 1760374589..f327f0d066 100644
--- a/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json
+++ b/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--617ae7e2-b19c-458e-8cac-d2a26cf3ff21",
+ "id": "bundle--7a18be7a-4e4f-4db2-8b8e-5c4b48945660",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json b/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json
index bcd32eb382..4fad9f328f 100644
--- a/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json
+++ b/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f75398a9-42d8-4a98-8430-3a346359efea",
+ "id": "bundle--c9bd1846-6b03-4912-8983-8ab0bf963a3f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f4b0d3ea-ae51-4e3b-a642-8a853f583436.json b/mobile-attack/relationship/relationship--f4b0d3ea-ae51-4e3b-a642-8a853f583436.json
new file mode 100644
index 0000000000..aa7dbbed52
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f4b0d3ea-ae51-4e3b-a642-8a853f583436.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--311c63d0-5fdb-4c63-b176-dfe6c4a1c9e1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--f4b0d3ea-ae51-4e3b-a642-8a853f583436",
+ "created": "2025-06-25T15:35:54.673Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "TrendMicro_CherryBlos_July2023",
+ "description": "Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.",
+ "url": "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-06-25T15:35:54.673Z",
+ "description": "[CherryBlos](https://attack.mitre.org/software/S1225) has communicated with the C2 server using HTTPS.(Citation: TrendMicro_CherryBlos_July2023) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--3cf81957-489a-469f-b013-362d548a96c1",
+ "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json b/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json
index 1a19aa2002..b5f4548737 100644
--- a/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json
+++ b/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5d7204ae-08a8-482d-9941-62b9dd926c58",
+ "id": "bundle--ad0256a8-c9fa-4b7e-b962-61f4ca537bf7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json b/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json
index bc6b0fe520..dc0566f7bc 100644
--- a/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json
+++ b/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f94b36aa-050f-4ae6-93e4-27da2251bc16",
+ "id": "bundle--2004365a-3338-4dcb-9370-86d34dc0e6c8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json b/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json
index 35db5080fd..dafc5545e4 100644
--- a/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json
+++ b/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1339638e-cbdf-43ae-9b59-d400bb8df2c0",
+ "id": "bundle--d913c7c7-0b30-4bf8-bdc6-e07d514dec10",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json b/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json
index ed868592c7..2ad398f28c 100644
--- a/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json
+++ b/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--87b4f5a2-ae57-4688-96e6-6d8a21fe861e",
+ "id": "bundle--8bc9a910-f54b-47ca-a879-ca9bf5922e0f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json b/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json
index 8ab523245d..9b66e42563 100644
--- a/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json
+++ b/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cc1cb2cd-139d-4876-ab12-e92912bb1b8b",
+ "id": "bundle--5710025c-7c94-456c-ad9e-6ce646bfba56",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ab18ee61-f94a-411c-9893-941714ce713e.json b/mobile-attack/relationship/relationship--f5184fc6-8283-4547-afa9-2f1c0c703d5d.json
similarity index 50%
rename from mobile-attack/relationship/relationship--ab18ee61-f94a-411c-9893-941714ce713e.json
rename to mobile-attack/relationship/relationship--f5184fc6-8283-4547-afa9-2f1c0c703d5d.json
index 231633c6fc..c2c6dd0934 100644
--- a/mobile-attack/relationship/relationship--ab18ee61-f94a-411c-9893-941714ce713e.json
+++ b/mobile-attack/relationship/relationship--f5184fc6-8283-4547-afa9-2f1c0c703d5d.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--6f598d66-9ea3-4d06-8cb6-1eb44292927d",
+ "id": "bundle--f63fecee-9062-4401-b903-60c8209f3344",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--ab18ee61-f94a-411c-9893-941714ce713e",
- "created": "2023-03-20T18:44:26.642Z",
+ "id": "relationship--f5184fc6-8283-4547-afa9-2f1c0c703d5d",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:50:49.152Z",
- "description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89",
"target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json b/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json
index 674f2a840d..10b4c2d63d 100644
--- a/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json
+++ b/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9f1d3a9b-0d38-4fca-b237-1f516f5941cb",
+ "id": "bundle--03a9d9e9-dcdd-41db-9e6e-f2e92f736c07",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json b/mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json
index b6a81d26d3..6b938f0cb2 100644
--- a/mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json
+++ b/mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5d348684-a0ce-4e24-be49-3ff0ca44e4e8",
+ "id": "bundle--1f596251-6656-4251-93d4-ecabc5238a13",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f54196e6-3efd-4562-ae86-37bb79ec49f6.json b/mobile-attack/relationship/relationship--f54196e6-3efd-4562-ae86-37bb79ec49f6.json
new file mode 100644
index 0000000000..fa2440a446
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f54196e6-3efd-4562-ae86-37bb79ec49f6.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--6d8460bf-5258-4004-ab22-54197ed0b71a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--f54196e6-3efd-4562-ae86-37bb79ec49f6",
+ "created": "2025-09-18T14:38:14.426Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-18T14:38:14.426Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has collected device information such as MAC address, IMEI and phone number.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json b/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json
index 1b6fd256ea..738a56a058 100644
--- a/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json
+++ b/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--22ab7a16-ab24-4c7b-a09f-35e7a4f5f041",
+ "id": "bundle--c2679cc3-79c6-41cb-857b-6120d87f433b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json b/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json
index 0146f62f1a..d802275e52 100644
--- a/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json
+++ b/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8a8b80b7-63af-4797-8cfd-25c5ec6cb147",
+ "id": "bundle--5cf71260-9ac7-4254-950b-3d086b02488b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json b/mobile-attack/relationship/relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json
deleted file mode 100644
index db99f8bd19..0000000000
--- a/mobile-attack/relationship/relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--ec3a6550-2a35-4139-b2f5-cd0aa1f52c54",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a",
- "created": "2023-03-20T18:39:10.113Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:32.521Z",
- "description": "The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
- "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json b/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json
index dd79dd82b2..ee1ea57f12 100644
--- a/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json
+++ b/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c894a3a-fcb0-44c3-8cbe-50da63e32a34",
+ "id": "bundle--208ebd8b-b19d-4926-ac5a-8ae28c78acf2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json b/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json
index 5ba672f043..7db81bb6bf 100644
--- a/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json
+++ b/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d50fc85e-dd65-45f0-a639-9e9b56b93949",
+ "id": "bundle--2fdf5dce-7add-4806-a23f-df9f9740756f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78.json b/mobile-attack/relationship/relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78.json
deleted file mode 100644
index cc3f77d683..0000000000
--- a/mobile-attack/relationship/relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--7d9991b1-67c7-4a93-a674-2bc03d608a5a",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78",
- "created": "2023-03-20T18:54:09.674Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:33.150Z",
- "description": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
- "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json b/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json
index 76361ba066..e179290ae7 100644
--- a/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json
+++ b/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f5223263-4d5b-4ff0-a5f7-60c1c040304d",
+ "id": "bundle--61280471-e877-4b3a-bc82-3e4834d682d5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json b/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json
index 82cfd2325f..25217c77a1 100644
--- a/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json
+++ b/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a4ec3cb3-6ff1-4e61-9922-95621917fd2a",
+ "id": "bundle--2ae07666-f155-4349-815e-48047700a478",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json b/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json
index 76b25a727f..e068fa62a6 100644
--- a/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json
+++ b/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed47b1a3-1926-47db-98b6-1545321eeefe",
+ "id": "bundle--73979223-b9d5-429b-aad9-88f0af6dc39c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json b/mobile-attack/relationship/relationship--f62351c6-0dff-45b1-a711-1b40b96639a2.json
similarity index 51%
rename from mobile-attack/relationship/relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json
rename to mobile-attack/relationship/relationship--f62351c6-0dff-45b1-a711-1b40b96639a2.json
index 0e66fa024c..75723efa1a 100644
--- a/mobile-attack/relationship/relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json
+++ b/mobile-attack/relationship/relationship--f62351c6-0dff-45b1-a711-1b40b96639a2.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--e7e33919-82cf-4b9b-a307-2ffe457a3aaa",
+ "id": "bundle--4ef6624f-1b34-4659-a0c5-2c06a8350e70",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d",
- "created": "2023-03-15T16:34:51.794Z",
+ "id": "relationship--f62351c6-0dff-45b1-a711-1b40b96639a2",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:51:23.783Z",
- "description": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "source_ref": "x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d",
"target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json b/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json
index d1f8b7acd7..f6e1fd6df7 100644
--- a/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json
+++ b/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7e70745b-4395-4dd8-8557-98314e4c9c74",
+ "id": "bundle--7e53d592-18e2-42e2-afec-0a04ae693d4f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json b/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json
index f304894d9c..b4953ff075 100644
--- a/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json
+++ b/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--90f0a66d-8a51-4397-8413-dc86a6fc1e3f",
+ "id": "bundle--5c17c59e-00c5-4ab2-b0e0-efdee7f29102",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json b/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json
index 718c5b9197..e6c35d03b6 100644
--- a/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json
+++ b/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e0b16b4a-8001-42ab-b2b7-6aaf386f1e55",
+ "id": "bundle--a765c9c0-aec5-426b-ba8f-11cce5b81298",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json b/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json
index 8bd5926070..897c5e8645 100644
--- a/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json
+++ b/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--678233e3-2f4a-4d10-b332-303ba76e0ba4",
+ "id": "bundle--626404ae-ebee-4022-9971-aae2103bb48c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json b/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json
index fc4ef5ef3e..de426dd1d2 100644
--- a/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json
+++ b/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--22311b59-4a36-4e2f-9f3b-fbfc24082e45",
+ "id": "bundle--370c6eda-ef12-4075-b739-d11103f57fee",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json b/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json
index 4b33b90df3..f1d2927c20 100644
--- a/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json
+++ b/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d1e5c81-60e4-4379-a05a-918df7926ad3",
+ "id": "bundle--bba52fd7-72ea-4092-8f17-2a1f666c58ce",
"spec_version": "2.0",
"objects": [
{
@@ -14,19 +14,24 @@
"source_name": "cyble_chameleon_0423",
"description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.",
"url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
+ },
+ {
+ "source_name": "ThreatFabric_Chameleon_Dec2023",
+ "description": "ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.",
+ "url": "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:34.977Z",
- "description": "[Chameleon](https://attack.mitre.org/software/S1083) can disable Google Play Protect.(Citation: cyble_chameleon_0423)",
+ "modified": "2025-10-08T20:17:51.728Z",
+ "description": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to disable Google Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)",
"relationship_type": "uses",
"source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
"target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json b/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json
index 08bf4cb3de..f04b069e2a 100644
--- a/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json
+++ b/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5ec017f6-4c81-4c65-951b-7c63d0381c82",
+ "id": "bundle--9d875ed5-3bb8-4ead-b114-53ad384871c8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--5b04c8d0-c026-4838-9383-e4146de36d4d.json b/mobile-attack/relationship/relationship--f6c57544-4bf5-47b1-924f-1a9bd17f5e31.json
similarity index 53%
rename from mobile-attack/relationship/relationship--5b04c8d0-c026-4838-9383-e4146de36d4d.json
rename to mobile-attack/relationship/relationship--f6c57544-4bf5-47b1-924f-1a9bd17f5e31.json
index 08a7b00d0b..3864d71fbd 100644
--- a/mobile-attack/relationship/relationship--5b04c8d0-c026-4838-9383-e4146de36d4d.json
+++ b/mobile-attack/relationship/relationship--f6c57544-4bf5-47b1-924f-1a9bd17f5e31.json
@@ -1,25 +1,24 @@
{
"type": "bundle",
- "id": "bundle--efad7ea6-48ad-4841-92f8-c23f67a4402f",
+ "id": "bundle--6e92a6bc-7e8d-4dc0-ae82-85f9c9b9704b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
- "id": "relationship--5b04c8d0-c026-4838-9383-e4146de36d4d",
- "created": "2023-03-16T18:33:19.941Z",
+ "id": "relationship--f6c57544-4bf5-47b1-924f-1a9bd17f5e31",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:48:55.869Z",
- "description": "Application vetting services could detect usage of standard clipboard APIs.",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
"relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "source_ref": "x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_attack_spec_version": "3.3.0"
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json b/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json
index 733e644189..7392aad458 100644
--- a/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json
+++ b/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3569eeff-6fd7-48ad-bf31-a530f325f74b",
+ "id": "bundle--b5d55cce-d592-474c-bb92-f267423ee5e9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json b/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json
index b4eaae7d13..9ee35f3430 100644
--- a/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json
+++ b/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--63f8e36d-5e19-457a-9544-29d6dabf6f63",
+ "id": "bundle--7e8f719e-6b14-43ec-8b79-d41c8b2c1769",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json b/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json
index cc60e40c3e..7c0918adab 100644
--- a/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json
+++ b/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe6a2d9e-fe92-45d2-acbe-888c93013f2e",
+ "id": "bundle--a12f7779-f9e8-4770-8e04-fb973aa61940",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json b/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json
index b326303dd8..9b8668e697 100644
--- a/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json
+++ b/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef3e41e7-09f5-4936-9f17-39f29a9b432c",
+ "id": "bundle--e2426657-3107-45c1-b3e9-7171f6d44bdf",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json b/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json
index 77df541622..95472cb402 100644
--- a/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json
+++ b/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--36b61eb9-903a-4788-87dd-f1a615f0700d",
+ "id": "bundle--bfa14c95-5967-4c38-99e5-a53bd4ac5880",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json b/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json
index 6ac12cd246..08079e34a6 100644
--- a/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json
+++ b/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a95ed42e-887a-4667-8b4f-13a4c2a3e6fc",
+ "id": "bundle--0eab6abf-7233-4d64-98ea-67f8e73a503e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json b/mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json
index 994ae35aa3..b3eda3f182 100644
--- a/mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json
+++ b/mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--885430b1-89dc-422a-a860-d4158ed33b85",
+ "id": "bundle--ba285fcd-83cf-425d-9cb4-1f65d7f273d9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json b/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json
index a590caadac..65155dfbb7 100644
--- a/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json
+++ b/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--10928788-c32d-496f-8731-338916ff4fc3",
+ "id": "bundle--b3dfc3e1-6555-4d39-bbae-36f5a3ce98e1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json b/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json
index 7b6c736064..441362848e 100644
--- a/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json
+++ b/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13e6d292-8326-49b6-98fb-7a9d19c12187",
+ "id": "bundle--92dd5125-d7da-45bf-a6c0-b92630a91f47",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json b/mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json
index 2b9384b732..7ab61b3e74 100644
--- a/mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json
+++ b/mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--612e6a53-ba38-4173-9d2c-3f1d71b89599",
+ "id": "bundle--fdc10a62-3778-405a-b830-e72c94f5b07d",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json b/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json
index 2e9e98156b..affd956eab 100644
--- a/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json
+++ b/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--35670db5-063a-495b-a934-6bb6dea7f9e9",
+ "id": "bundle--f4bad6ce-84f5-465f-a4cd-1ef43f05912c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f8312ce3-3533-46e7-bf93-90541f9b5c69.json b/mobile-attack/relationship/relationship--f8312ce3-3533-46e7-bf93-90541f9b5c69.json
new file mode 100644
index 0000000000..7377d3993c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f8312ce3-3533-46e7-bf93-90541f9b5c69.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--a3152f1c-e3f4-409e-a5ca-bad2e8dbaf17",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--f8312ce3-3533-46e7-bf93-90541f9b5c69",
+ "created": "2025-08-29T22:04:44.695Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumOrtegaPratapagiri_GodFather_Jun2025",
+ "description": "Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.",
+ "url": "https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-08T14:31:06.242Z",
+ "description": "[GodFather](https://attack.mitre.org/software/S1231) has the captured information about the device's screen to include detailed tap events.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)",
+ "relationship_type": "uses",
+ "source_ref": "malware--bf064476-25b8-493c-a1e7-dd707b3f7f52",
+ "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json b/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json
index 8cc6ce33c3..b0a950b1fc 100644
--- a/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json
+++ b/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d4c1918d-cd51-4ddd-a7bf-00fe810eda59",
+ "id": "bundle--f7eeb58a-0dcb-4811-a99d-0eecf5bddbd1",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json b/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json
deleted file mode 100644
index 66bdbd5904..0000000000
--- a/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--b434f885-4f1f-4c24-bd21-883f662a90d0",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--f857935b-653a-4b9a-a2dc-59c042059a39",
- "created": "2023-03-20T15:56:04.673Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:37.798Z",
- "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json b/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json
index fb80d73034..e8e4a672a1 100644
--- a/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json
+++ b/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4b0d9e3-d5b5-41a3-a7bf-9f2795da1505",
+ "id": "bundle--cf3dafe3-1034-4707-a44d-d2ff79d2f085",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json b/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json
index 39b7956841..5c7bc00fd2 100644
--- a/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json
+++ b/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--426dd69f-e879-43db-a7e8-57b7803f9c0c",
+ "id": "bundle--7732f126-8919-4444-8fcf-f91399b1739e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json b/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json
index 9b6bf2befe..da9d4b98e8 100644
--- a/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json
+++ b/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--919cb87c-ed7e-4cfe-96b8-cc1985aec83a",
+ "id": "bundle--54328d75-d080-44b8-bdf3-133bf22c6ffc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json b/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json
index 7a4f8e48d9..93732a7280 100644
--- a/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json
+++ b/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b6e93f3-995c-43fa-b785-35c532009c09",
+ "id": "bundle--a3dbc736-bfc9-47e2-b91a-ea6fcf1a6590",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json b/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json
index 567b3051ec..4eff7a29e5 100644
--- a/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json
+++ b/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d28eb7a0-6728-4d05-bd9a-ec8c9ec4c0bb",
+ "id": "bundle--ba6af725-1251-4432-bc74-512935e311df",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json b/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json
index 45d6b913fc..50eada6789 100644
--- a/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json
+++ b/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--42ce75f2-e33a-4e10-b291-f5998a4d0a57",
+ "id": "bundle--37d881a5-6aa6-451f-af59-17d888d8d7f4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json b/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json
index 638d7fcedf..81d966fa88 100644
--- a/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json
+++ b/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70f3dab5-151b-44a5-88fd-308f399acc52",
+ "id": "bundle--b6f6c422-0384-454b-b7b4-507fbed68a1a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json b/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json
index c3933f3797..675c1d2852 100644
--- a/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json
+++ b/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e5782952-f42f-47e2-9e44-857fcbd70737",
+ "id": "bundle--7e7fdcac-943f-4ca6-b3f2-a1483ecd9099",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json b/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json
index 3961c0e9ab..ea0323a645 100644
--- a/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json
+++ b/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7c28a5ea-69bb-4421-86a0-9a0a1ffc4b3f",
+ "id": "bundle--8a24f1c8-277e-4d00-8775-6b6660748b47",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json b/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json
index a36332743e..e8d2d3036d 100644
--- a/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json
+++ b/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a670680f-f0ed-4b4f-9a44-49a4d3d44dfb",
+ "id": "bundle--5d467af3-28ff-497f-b122-43704b2982a6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json b/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json
index 2c214d442b..260429440a 100644
--- a/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json
+++ b/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2128e4dc-a4eb-4538-8e9d-0c518c5af5f1",
+ "id": "bundle--cf4ba88a-298f-4374-a5ac-2e9207eec5f5",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json b/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json
index 03401f02f1..f62000cd1e 100644
--- a/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json
+++ b/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e19f5d33-0190-4304-a8a6-869b70ff713e",
+ "id": "bundle--b9253a95-9eb7-45eb-bf07-ab7c72ac2c02",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json b/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json
index 37dbf4adc3..593443a9ac 100644
--- a/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json
+++ b/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3a939579-d10c-4cb6-87ef-c55287f0ce14",
+ "id": "bundle--6644dc8e-15be-49dc-bb77-64ff22f2e71e",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json b/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json
index 0346aca873..553b017326 100644
--- a/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json
+++ b/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9af2ac3-65b5-4bc7-bd90-673ff5f36eda",
+ "id": "bundle--80850087-4e80-47f4-891d-d62bdf197267",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fad1e048-86e1-48c7-a183-0e13e429bc23.json b/mobile-attack/relationship/relationship--fad1e048-86e1-48c7-a183-0e13e429bc23.json
new file mode 100644
index 0000000000..d409917e19
--- /dev/null
+++ b/mobile-attack/relationship/relationship--fad1e048-86e1-48c7-a183-0e13e429bc23.json
@@ -0,0 +1,24 @@
+{
+ "type": "bundle",
+ "id": "bundle--36cf2ef0-4066-4880-816b-a313601adbf6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--fad1e048-86e1-48c7-a183-0e13e429bc23",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "description": "",
+ "relationship_type": "detects",
+ "source_ref": "x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80",
+ "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json b/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json
index 6cba0ceade..e69fc30323 100644
--- a/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json
+++ b/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--617846c8-de45-4b07-a7d3-51fa900cc63c",
+ "id": "bundle--9669544d-eb37-4be1-9fb0-edef92fcf383",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json b/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json
index 393b1fb69a..6ebd9b4e98 100644
--- a/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json
+++ b/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39574fce-6690-443e-8833-767ded6a4dfd",
+ "id": "bundle--38c30f99-8779-4008-8777-6026f6da5528",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json b/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json
index b89889ad7e..5bbe0380e2 100644
--- a/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json
+++ b/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f1d8ec66-53df-4388-a0ee-46b3b04232d7",
+ "id": "bundle--e9d23fa4-8afe-4d1b-8290-4a3c768aaf5f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json b/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json
index 682b269777..144f2d4f8c 100644
--- a/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json
+++ b/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--61eae2d7-db4f-40e3-b9fd-4bf18393aec0",
+ "id": "bundle--31f93159-5469-4cb8-8400-149980b14a82",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json b/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json
index 4a80c5eb14..0442a526d1 100644
--- a/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json
+++ b/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7578110b-9425-473d-a63f-d5331e81af84",
+ "id": "bundle--38594003-ddb8-4325-977e-b48ada6be37b",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json b/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json
index 4bbe70b223..4bd28fe39d 100644
--- a/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json
+++ b/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3f06abcc-ec09-4d13-a57f-312a6b08ec40",
+ "id": "bundle--4a0bd0ca-ad36-4cbf-b821-88e3a9f73531",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json b/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json
index a2a7f37a76..7810c6c1d5 100644
--- a/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json
+++ b/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe13a3d1-2241-4f82-bea5-4e0fd3e254e3",
+ "id": "bundle--73fa4690-d9c7-4bfb-942a-b1ebad071655",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json b/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json
index 92b44e45b6..f712ca6aa0 100644
--- a/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json
+++ b/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2367d3da-5d69-4a3b-9b6f-3c8f5da70ab1",
+ "id": "bundle--94ca38ff-0027-4adf-b939-158d3f092ea9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json b/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json
index 941c777144..6df32aaa9a 100644
--- a/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json
+++ b/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--759d8ec8-0e72-4cf2-bdbd-ec3607ab4927",
+ "id": "bundle--6625948c-b207-4b1b-ac5f-862ab577faa9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json b/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json
index a0177c72cb..66ce44d756 100644
--- a/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json
+++ b/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de7f10a2-f523-4213-b4bb-860aeda81153",
+ "id": "bundle--d32d3954-eea5-4727-bb73-4c4cc95d0f75",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json b/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json
index 7bbf57479a..009b554ad3 100644
--- a/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json
+++ b/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9af9664b-9497-4ca7-964d-cca3b282a5cb",
+ "id": "bundle--85662d8e-b792-436e-8fb3-4a7d59653ed8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json b/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json
index 1e709981bb..0396cada90 100644
--- a/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json
+++ b/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--54e4f5e3-15d7-4ffe-ac9d-669e2c51f85f",
+ "id": "bundle--d633079e-96c2-4bc1-a762-d847526b2665",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json b/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json
index d77b504711..88c6863b1e 100644
--- a/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json
+++ b/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--17e86128-160b-4cf7-bc6c-3fad407b4ea9",
+ "id": "bundle--52cc5218-d675-4c2a-baf7-593cfa268b99",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json b/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json
index 62c1b28ffb..8b29673896 100644
--- a/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json
+++ b/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--84e5430d-4678-4141-bc4b-8a05a2e13ac1",
+ "id": "bundle--af097486-a814-419a-9ce8-ee32294d64fa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fc3c2496-aef9-4924-82e7-716d5149db01.json b/mobile-attack/relationship/relationship--fc3c2496-aef9-4924-82e7-716d5149db01.json
new file mode 100644
index 0000000000..b4f3b9eee9
--- /dev/null
+++ b/mobile-attack/relationship/relationship--fc3c2496-aef9-4924-82e7-716d5149db01.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--310a90d6-ce25-427e-b6ca-ab236c8f19d9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--fc3c2496-aef9-4924-82e7-716d5149db01",
+ "created": "2025-09-24T16:02:56.574Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "ZimperiumGupta_RatMilad_Oct2022",
+ "description": "Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.",
+ "url": "https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-24T16:02:56.574Z",
+ "description": "[RatMilad](https://attack.mitre.org/software/S1241) has listed files and pictures on the device starting from `/mnt/sdcard/`.(Citation: ZimperiumGupta_RatMilad_Oct2022) ",
+ "relationship_type": "uses",
+ "source_ref": "malware--6ceb0644-0ae9-4ee1-a659-3888687cb03b",
+ "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json b/mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json
index e69902944d..6fcc8a953b 100644
--- a/mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json
+++ b/mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b211a25-e053-4785-bb79-2229fb69d284",
+ "id": "bundle--6bd0fb4e-6655-4472-b3e7-fc7559700dfa",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json b/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json
index 27d062f775..e6ae045ff2 100644
--- a/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json
+++ b/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0e284a2b-9308-4df0-b3e5-5b73e33e6580",
+ "id": "bundle--2df96147-d667-43a8-8129-3db5bee1ca97",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json b/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json
index b8c37494ff..01a1b0d372 100644
--- a/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json
+++ b/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--034f6a19-e313-4ab1-b903-4901bda92793",
+ "id": "bundle--a1b3ae43-a66b-4633-9876-be4b018d4e64",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fcaf04f2-3944-44f9-898a-e3df3fcf30c7.json b/mobile-attack/relationship/relationship--fcaf04f2-3944-44f9-898a-e3df3fcf30c7.json
new file mode 100644
index 0000000000..eda06a9179
--- /dev/null
+++ b/mobile-attack/relationship/relationship--fcaf04f2-3944-44f9-898a-e3df3fcf30c7.json
@@ -0,0 +1,25 @@
+{
+ "type": "bundle",
+ "id": "bundle--97085bef-cb7f-4f70-a690-9c2cb86d6a67",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--fcaf04f2-3944-44f9-898a-e3df3fcf30c7",
+ "created": "2025-09-17T15:30:25.216Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-09-17T15:30:25.216Z",
+ "description": "Access to accounts is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their accounts. ",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+ "target_ref": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.3.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json b/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json
index 6f643b45f9..99a3200c32 100644
--- a/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json
+++ b/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5f9cec0a-d1c4-41e1-9423-140858ae3d4a",
+ "id": "bundle--2097bc97-e3b1-4a09-bea6-644a4681d1bd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json b/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json
index 782336aeab..8de69f22a2 100644
--- a/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json
+++ b/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--32e23c62-99be-4be6-b22d-f1c740159c9b",
+ "id": "bundle--0600b935-8c3f-4397-9f38-4996ac5fa7a7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json b/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json
index 04409ee0cc..2ee9acf598 100644
--- a/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json
+++ b/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b943dd91-5355-4021-a174-f8ba43ebca23",
+ "id": "bundle--ca051fbc-835b-4993-bb93-b9bdbe5aeda9",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json b/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json
index f1e029eefb..e7f7065e29 100644
--- a/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json
+++ b/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f677626-dc0f-4e4f-ba05-5ae56ad4523c",
+ "id": "bundle--595bb184-230e-4b49-ba34-4da618a28117",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2.json b/mobile-attack/relationship/relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2.json
deleted file mode 100644
index df6194df8a..0000000000
--- a/mobile-attack/relationship/relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--80756684-ac1c-4300-a251-189161a7f42d",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2",
- "created": "2023-08-08T16:14:27.679Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:45.246Z",
- "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
- "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json b/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json
index fcdbb47bf4..32f5800c62 100644
--- a/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json
+++ b/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--846859ea-f62b-4e6c-aae9-7ea26b1194a0",
+ "id": "bundle--9ec17c6c-5a2a-4a17-b172-76d4070e429f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json b/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json
index 25b8b43060..c7ad4e2643 100644
--- a/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json
+++ b/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--64a1d49c-034f-49b4-b43a-5a4cfcb35f87",
+ "id": "bundle--e7232c10-d831-414c-8401-5ba1a22028e7",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json b/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json
index 7820ffb6a5..d37456c4bd 100644
--- a/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json
+++ b/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1c2a70af-7e5e-47db-a650-d9c1841b748c",
+ "id": "bundle--5a03d3d6-246f-4d93-acca-907dd950b0c0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json b/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json
index 62375c3292..cfeeae2efd 100644
--- a/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json
+++ b/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f3db5584-1279-45ce-8a02-23f4989ed84e",
+ "id": "bundle--d484def3-2e86-4533-9117-e31d5dda3233",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json b/mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json
index fbef435d6f..a148c5ef18 100644
--- a/mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json
+++ b/mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9a2bbd2d-329d-4c0e-9a40-fa277617063b",
+ "id": "bundle--a156e3ff-ba1a-47d4-b8ff-c97b68c2ce23",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json b/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json
index fdc15d139f..7f944be0a5 100644
--- a/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json
+++ b/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--702c772a-121c-4c3d-8c28-6e79e36e3954",
+ "id": "bundle--c2709d82-1121-463c-a732-c0d7b81e24dd",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json b/mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json
index de61176632..936866c6ea 100644
--- a/mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json
+++ b/mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b0e732e-a648-4cbd-a7c9-62525a2c6802",
+ "id": "bundle--d1529989-0483-4f7f-9336-067576bfcc1c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json b/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json
deleted file mode 100644
index c388049fa3..0000000000
--- a/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
- "type": "bundle",
- "id": "bundle--e45cdf8d-3674-419d-9630-88792a6778c7",
- "spec_version": "2.0",
- "objects": [
- {
- "type": "relationship",
- "id": "relationship--ff3aa49b-c054-44ec-89da-6c67d4995193",
- "created": "2023-03-20T18:44:44.257Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "modified": "2025-04-16T21:52:47.028Z",
- "description": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
- "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
- }
- ]
-}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json b/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json
index a94bd6c806..b850c52da7 100644
--- a/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json
+++ b/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2261c7a6-28fa-400f-bd7e-448df6c44f6e",
+ "id": "bundle--6dbcd4ce-04fa-4312-b281-1a0c40a72856",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json b/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json
index 9298f713a7..5f271a0870 100644
--- a/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json
+++ b/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--54763010-d61b-4cb9-96a8-1c5d5e1fce35",
+ "id": "bundle--e572b1cf-9cf8-4bea-a9af-e3bbe302a09c",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json b/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json
index 89481cdc93..f3b318a832 100644
--- a/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json
+++ b/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ae161734-78f7-441a-a8d7-d6e49853f484",
+ "id": "bundle--6b977fc3-7502-4d78-87df-71dcd6d239a8",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json b/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json
index a4af98810d..bb7e9e952d 100644
--- a/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json
+++ b/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--15e880d3-0778-4e71-8d47-3bf658541fda",
+ "id": "bundle--c24060cd-9931-4eb6-a22a-de793907545f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json b/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json
index 5d134328ea..04cfbd1095 100644
--- a/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json
+++ b/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b5e2f325-9c22-4617-b023-668fe3bd953d",
+ "id": "bundle--bb046b39-3d8a-4a5c-bcb9-12072c5cf55a",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json b/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json
index cf4dff6ee4..5f1a5857b5 100644
--- a/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json
+++ b/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--227091d3-e15f-43ae-b21a-35671205e1f3",
+ "id": "bundle--44d59e98-acb5-457f-9b6e-e589acfb5c16",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json b/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json
index f37ddf0f0b..8e5114753e 100644
--- a/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json
+++ b/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4a5891b5-b3e6-4e2d-b32b-df335584e448",
+ "id": "bundle--fc483b3a-7125-4950-99bb-5ef6a9ff7262",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json b/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json
index 60f03ee48d..fa36816d1e 100644
--- a/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json
+++ b/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3a19f2cc-d374-4732-8107-275f1f470a17",
+ "id": "bundle--7407e494-f10c-4c9f-b60a-94671aa8d1a4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2.json
new file mode 100644
index 0000000000..43c10de3e1
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--3b64435f-b1d3-4bda-9479-584b5ebfdd3d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1789",
+ "external_id": "AN1789"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1789",
+ "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864.json
new file mode 100644
index 0000000000..f442d783ad
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--b4108fe0-ce79-46e6-8b09-77910dc5ae5f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1740",
+ "external_id": "AN1740"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1740",
+ "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc.json
new file mode 100644
index 0000000000..1c93bf781f
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--350397a3-bb01-4b0c-bf90-a174e51e7625",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1649",
+ "external_id": "AN1649"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1649",
+ "description": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8.json
new file mode 100644
index 0000000000..aebf6d8bc2
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--584ed1fe-9908-4531-b7dc-813f76592ade",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0619#AN1679",
+ "external_id": "AN1679"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1679",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae.json
new file mode 100644
index 0000000000..7d6cc24af6
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--ae31e572-fabb-4de3-80c0-5f9a7bbc014e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1725",
+ "external_id": "AN1725"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1725",
+ "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3.json
new file mode 100644
index 0000000000..255002d131
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--3b359403-dffe-4cbf-85b8-46371a44bcc9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0684#AN1792",
+ "external_id": "AN1792"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1792",
+ "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nEnterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061.json
new file mode 100644
index 0000000000..9ace2b8623
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--66162fa2-7eb1-4206-95ed-60160ceff911",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1829",
+ "external_id": "AN1829"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1829",
+ "description": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f.json
new file mode 100644
index 0000000000..97dc442690
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--262b2147-2415-45ea-8229-f3b88561218f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1747",
+ "external_id": "AN1747"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1747",
+ "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5.json
new file mode 100644
index 0000000000..786eb58836
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--6d9488f9-1d4c-46ef-b7fb-a1b023c9075e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0652#AN1736",
+ "external_id": "AN1736"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1736",
+ "description": "Application vetting services may detect when an application requests permissions after an application update.\nApplication vetting services may look for indications that the application\u2019s update includes malicious code at runtime. \nApplication vetting services may be able to list domains and/or IP addresses that applications communicate with.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90.json
new file mode 100644
index 0000000000..001f34a11a
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--44ce51f9-8fb7-4673-8248-d08edcb7db69",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0694#AN1807",
+ "external_id": "AN1807"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1807",
+ "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930.json
new file mode 100644
index 0000000000..a7f3edbfe6
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--5af08bf0-a0e7-4996-b4bd-97d972fcf134",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0710#AN1836",
+ "external_id": "AN1836"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1836",
+ "description": "Mobile security products can use attestation to detect compromised devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653.json
new file mode 100644
index 0000000000..7f772cd6e2
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--0969d5c3-ec21-42c1-83e3-0b8c7ae5383c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0647#AN1727",
+ "external_id": "AN1727"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1727",
+ "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d.json
new file mode 100644
index 0000000000..5e60f9c1ec
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--fd2ae800-9d36-4fd4-8f73-3acdd7ac23fd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0708#AN1832",
+ "external_id": "AN1832"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1832",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2.json
new file mode 100644
index 0000000000..4607d109bd
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--6e1bf184-2617-41da-8e0f-3e16893ae9ad",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1759",
+ "external_id": "AN1759"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1759",
+ "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.\nApplication vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a.json
new file mode 100644
index 0000000000..408b3ec6a5
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--27dc9cec-078e-49dd-9159-cffc8c253225",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0701#AN1819",
+ "external_id": "AN1819"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1819",
+ "description": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec.json
new file mode 100644
index 0000000000..127042d56c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--94ee347a-3300-4fd2-aec2-5c65f48b811e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0698#AN1814",
+ "external_id": "AN1814"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1814",
+ "description": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d.json
new file mode 100644
index 0000000000..3dd88dc613
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--13244e7c-b39d-401f-848a-53a6a59323d9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0609#AN1662",
+ "external_id": "AN1662"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1662",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90.json
new file mode 100644
index 0000000000..878df1da88
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--2b986066-6c73-41c4-8050-30018af4e226",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0632#AN1704",
+ "external_id": "AN1704"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1704",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd.json
new file mode 100644
index 0000000000..ebbe7e51e6
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--d8bcadbd-81d0-4445-b05c-04632f9bca93",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0690#AN1801",
+ "external_id": "AN1801"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1801",
+ "description": "Application vetting services could look for use of the accessibility service or features that typically require root access.\nThe user can see a list of applications that can use accessibility services in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719.json
new file mode 100644
index 0000000000..b60ae407c9
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--fbfc926a-1326-461e-8dc3-616922c814aa",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0633#AN1705",
+ "external_id": "AN1705"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1705",
+ "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.\nMobile security products can potentially detect jailbroken devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1.json
new file mode 100644
index 0000000000..0464cc407c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--7f252f29-401c-4ec4-8795-4089265b5209",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1768",
+ "external_id": "AN1768"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1768",
+ "description": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a.json
new file mode 100644
index 0000000000..ba11f4068d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--aa99d795-7025-4244-856c-6d56c924633e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1714",
+ "external_id": "AN1714"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1714",
+ "description": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea.json
new file mode 100644
index 0000000000..dea921f357
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--cc87cb9d-f15a-4b48-b4bc-8278ebd72406",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1816",
+ "external_id": "AN1816"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1816",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block bidirectional command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c.json
new file mode 100644
index 0000000000..23c2484395
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b977c888-881a-4f26-b26a-d4cba4503b81",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1762",
+ "external_id": "AN1762"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1762",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4.json
new file mode 100644
index 0000000000..a5b382fee8
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--8e40ce34-cc05-4766-a4f4-0a4f365b8b97",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0598#AN1644",
+ "external_id": "AN1644"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1644",
+ "description": "Application vetting services may detect API calls to `performGlobalAction(int)`. \nThe user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478.json
new file mode 100644
index 0000000000..e46be0e5dc
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--8b0cd315-eb92-47b8-8cf6-99f626676dfb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1738",
+ "external_id": "AN1738"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1738",
+ "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. \nApplication vetting services can detect unnecessary and potentially abused API calls.\nApplication vetting services can detect unnecessary and potentially abused permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521.json
new file mode 100644
index 0000000000..d14db776e8
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--482380ad-2aa8-4eb8-a5d1-52664cdc8b37",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1778",
+ "external_id": "AN1778"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1778",
+ "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c.json
new file mode 100644
index 0000000000..22648b41fb
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--76612337-8c6f-4ef6-9c4c-a7ff636a7c4c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0637#AN1711",
+ "external_id": "AN1711"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1711",
+ "description": "The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.\nApplications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127.json
new file mode 100644
index 0000000000..2b4a96c02c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--aae6a6e9-93f4-45b3-a49d-bf37c7d3b640",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1720",
+ "external_id": "AN1720"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1720",
+ "description": "Application vetting services could detect usage of standard clipboard APIs.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5.json
new file mode 100644
index 0000000000..37c370e2e4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--12ec129a-8575-4879-964c-ba4ec5e6c9dc",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1729",
+ "external_id": "AN1729"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1729",
+ "description": "Application vetting services can detect unnecessary and potentially abused location permissions.\nOn Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.\nApplication vetting services can detect unnecessary and potentially abused API calls.\nThe user can review which applications have location permissions in the operating system\u2019s settings menu.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a.json
new file mode 100644
index 0000000000..da0b776196
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--c4221598-24ad-4ce3-a273-e5ef2032a01f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0642#AN1718",
+ "external_id": "AN1718"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1718",
+ "description": "Application vetting services can detect when an application requests administrator permission.\nWhen an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184.json
new file mode 100644
index 0000000000..b1879fb5dd
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--0c63ac5b-18bd-477c-b6c1-839def89e24d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1737",
+ "external_id": "AN1737"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1737",
+ "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. \nApplication vetting services can detect unnecessary and potentially abused API calls.\nApplication vetting services can detect unnecessary and potentially abused permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11.json
new file mode 100644
index 0000000000..e5c698a596
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--e243aaea-68dc-42da-ba38-eb922b1c9a8e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0666#AN1760",
+ "external_id": "AN1760"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1760",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c.json
new file mode 100644
index 0000000000..85366d289d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--7aa07749-4776-43c5-92f4-96db40de5a55",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0660#AN1750",
+ "external_id": "AN1750"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1750",
+ "description": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35.json
new file mode 100644
index 0000000000..d20984c1fc
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--0c18c94d-37ef-4ade-80c4-b0a6148f795d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1717",
+ "external_id": "AN1717"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1717",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7.json
new file mode 100644
index 0000000000..2557d303b7
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--234bf3e3-fdf5-4017-9f10-b0165a403cac",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0623#AN1688",
+ "external_id": "AN1688"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1688",
+ "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \nApplication vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. \nOn both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e.json
new file mode 100644
index 0000000000..8d69e1569c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--97319704-6897-40c3-a03b-300dc0223914",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1788",
+ "external_id": "AN1788"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1788",
+ "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64.json
new file mode 100644
index 0000000000..9d140a31d0
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--f84abb11-c1f3-4b75-9a82-92506c6eb0b0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1669",
+ "external_id": "AN1669"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1669",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82.json
new file mode 100644
index 0000000000..44b162b6f6
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--10e22388-d713-4a0f-b9a9-b1f52968855d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0623#AN1687",
+ "external_id": "AN1687"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1687",
+ "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \nApplication vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. \nOn both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34.json
new file mode 100644
index 0000000000..5270c68bbc
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--ced95872-7aa4-4e96-bff2-8b5b3b45effa",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0674#AN1774",
+ "external_id": "AN1774"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1774",
+ "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. \nOn both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20.json
new file mode 100644
index 0000000000..238548fe31
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--f4339c1a-fb8b-4082-bdd2-9cce570ffa0f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0688#AN1799",
+ "external_id": "AN1799"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1799",
+ "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c.json
new file mode 100644
index 0000000000..74feb67b16
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--9a4b4c1d-a7ff-4353-acc2-9daad18c7232",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0652#AN1735",
+ "external_id": "AN1735"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1735",
+ "description": "Application vetting services may detect when an application requests permissions after an application update.\nApplication vetting services may look for indications that the application\u2019s update includes malicious code at runtime. \nApplication vetting services may be able to list domains and/or IP addresses that applications communicate with.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb.json
new file mode 100644
index 0000000000..9b7798fba4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--19b3cb1b-4382-4643-81d0-eae92183cbaf",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1820",
+ "external_id": "AN1820"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1820",
+ "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e.json
new file mode 100644
index 0000000000..b4c545193a
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--575c66bc-09ab-4abf-9860-3b31e5b8b923",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0615#AN1672",
+ "external_id": "AN1672"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1672",
+ "description": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd.json
new file mode 100644
index 0000000000..925e37d8a4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--8e3d4a82-a3cb-425c-a10a-98e8d4fca51c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0686#AN1795",
+ "external_id": "AN1795"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1795",
+ "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd.json
new file mode 100644
index 0000000000..c9df594e75
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--d77af734-b49a-496f-a2f7-bf96742b6fe5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0668#AN1764",
+ "external_id": "AN1764"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1764",
+ "description": "Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.\nThe user can view a list of apps with accessibility service privileges in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff.json
new file mode 100644
index 0000000000..c3c5d73ebd
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--486c51a2-f3b5-47e6-9e57-8c9c93ad2108",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0716#AN1845",
+ "external_id": "AN1845"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1845",
+ "description": "The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52.json
new file mode 100644
index 0000000000..e32c81b642
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--798ab47e-761e-4835-adc1-7aec3839528a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1808",
+ "external_id": "AN1808"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1808",
+ "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.\nDuring the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db.json
new file mode 100644
index 0000000000..fee6a32c6d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db.json
@@ -0,0 +1,63 @@
+{
+ "type": "bundle",
+ "id": "bundle--b56d5c0c-c2a8-415e-9ce9-749a30394183",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0671#AN1769",
+ "external_id": "AN1769"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1769",
+ "description": "The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. \nCommand-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. \nThe user is prompted for approval when an application requests device administrator permissions.\nApplication vetting services may detect API calls for deleting files. \nMobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5.json
new file mode 100644
index 0000000000..fa8a9a2ebd
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--662125b6-469c-48dc-807d-ea661314a59c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1773",
+ "external_id": "AN1773"
+ },
+ {
+ "source_name": "Android Privacy Indicators",
+ "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
+ "url": "https://source.android.com/devices/tech/config/privacy-indicators"
+ },
+ {
+ "source_name": "iOS Mic Spyware",
+ "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
+ "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1773",
+ "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0.json
new file mode 100644
index 0000000000..6bae2780f3
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--e5620262-dd33-4286-8f42-3245dfbe7900",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0611#AN1665",
+ "external_id": "AN1665"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1665",
+ "description": "The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). \nApplication vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d.json
new file mode 100644
index 0000000000..3def1c3ea3
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--1c147f02-967b-4bc9-a520-f22d10e46df0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0708#AN1831",
+ "external_id": "AN1831"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1831",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6.json
new file mode 100644
index 0000000000..87b47b42ac
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--fa6908a5-6d13-480b-be8b-cd9598e676b8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1734",
+ "external_id": "AN1734"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1734",
+ "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.\nThe user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94.json
new file mode 100644
index 0000000000..c19e6c9810
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--f8c7a3cb-1654-40ef-9eeb-bd86a9b92868",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0627#AN1696",
+ "external_id": "AN1696"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1696",
+ "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. \nApplication vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6.json
new file mode 100644
index 0000000000..415d10aa6f
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--7b0f6536-2ef2-4dba-b79d-504211125667",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1719",
+ "external_id": "AN1719"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1719",
+ "description": "Application vetting services could detect usage of standard clipboard APIs.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041.json
new file mode 100644
index 0000000000..1988f969aa
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--794b8a9b-25fc-419b-8031-d8bcf9dbf9f8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1763",
+ "external_id": "AN1763"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1763",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e.json
similarity index 60%
rename from mobile-attack/relationship/relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa.json
rename to mobile-attack/x-mitre-analytic/x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e.json
index 4d963ac977..9d4b52147e 100644
--- a/mobile-attack/relationship/relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa.json
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e.json
@@ -1,15 +1,19 @@
{
"type": "bundle",
- "id": "bundle--b36cb732-6350-4f2f-818f-ee3b3b429038",
+ "id": "bundle--b2bc8652-421b-4dbe-b394-f858eb30c31a",
"spec_version": "2.0",
"objects": [
{
- "type": "relationship",
- "id": "relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa",
- "created": "2023-08-14T16:19:34.080Z",
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0669#AN1766",
+ "external_id": "AN1766"
+ },
{
"source_name": "unit42_strat_aged_domain_det",
"description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
@@ -24,14 +28,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:52:00.380Z",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1766",
"description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144.json
new file mode 100644
index 0000000000..c748316665
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--ab6934de-9e32-4a8c-91b1-c93905a60abd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1748",
+ "external_id": "AN1748"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1748",
+ "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998.json
new file mode 100644
index 0000000000..3fc88aa155
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--12420ea7-a9dc-40f9-84d7-86a2943ae6a2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0624#AN1689",
+ "external_id": "AN1689"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1689",
+ "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391.json
new file mode 100644
index 0000000000..04824a4095
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--4bede883-6636-425a-a87d-0e500eaafee7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0717#AN1847",
+ "external_id": "AN1847"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1847",
+ "description": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c.json
new file mode 100644
index 0000000000..c9a29b5b30
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--74c664be-9356-44de-939c-ac0a33f6d58c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0616#AN1673",
+ "external_id": "AN1673"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1673",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4.json
new file mode 100644
index 0000000000..7329c85397
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--16becfc2-49c5-4fb4-9523-b178c5fa9d00",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0622#AN1685",
+ "external_id": "AN1685"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1685",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369.json
new file mode 100644
index 0000000000..b18f273a55
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--0a4e28eb-478f-4b13-b588-6d7b044f3ce4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1733",
+ "external_id": "AN1733"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1733",
+ "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.\nThe user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8.json
new file mode 100644
index 0000000000..f1758f5742
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--2471abd5-70e2-4abe-bb22-f0234fb9f8eb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1723",
+ "external_id": "AN1723"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1723",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c.json
new file mode 100644
index 0000000000..c14f62f9ce
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--5cce778a-1cbf-4e94-b968-2ddeae328ae5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1654",
+ "external_id": "AN1654"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1654",
+ "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd.json
new file mode 100644
index 0000000000..7dc3c46492
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b445f151-df25-44d0-af68-c72dba1fcf3e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1648",
+ "external_id": "AN1648"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1648",
+ "description": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b.json
new file mode 100644
index 0000000000..40320d60bb
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--369f181e-11b9-4cac-a195-1c52fa97f281",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0608#AN1659",
+ "external_id": "AN1659"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1659",
+ "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. \nApplication vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba.json
new file mode 100644
index 0000000000..1c38479c66
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--d4cae5ef-446c-4839-9e9f-89e73c09aa7b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1804",
+ "external_id": "AN1804"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1804",
+ "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8.json
new file mode 100644
index 0000000000..8c4dcac417
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--07832faf-a084-4e80-acff-cf9734b1e11c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1805",
+ "external_id": "AN1805"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1805",
+ "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb.json
new file mode 100644
index 0000000000..eb5c9996a7
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--08c47611-088f-44fe-bcb1-cb61ddeea617",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1693",
+ "external_id": "AN1693"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1693",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1.json
new file mode 100644
index 0000000000..611751194d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--dfd0bec2-88a4-4b8a-8ad5-9bffcb03c5c1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0632#AN1703",
+ "external_id": "AN1703"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1703",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563.json
new file mode 100644
index 0000000000..9af1e63c6c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563.json
@@ -0,0 +1,63 @@
+{
+ "type": "bundle",
+ "id": "bundle--727e4517-b726-4335-af0e-643ad4b8454e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1658",
+ "external_id": "AN1658"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1658",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee.json
new file mode 100644
index 0000000000..4c7a480b22
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--8c51c292-e2fc-4900-b1f9-d90c32d1a050",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0625#AN1691",
+ "external_id": "AN1691"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1691",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101.json
new file mode 100644
index 0000000000..a2843bfd24
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--8fccd399-f212-4db6-9989-c1e1fe3f4622",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0630#AN1701",
+ "external_id": "AN1701"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1701",
+ "description": "The user is prompted for approval when an application requests device administrator permissions.\nApplication vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.\nThe user can see which applications are registered as device administrators in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16.json
new file mode 100644
index 0000000000..3a221c1df7
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--7f92d3cc-325e-44bd-830a-5d7b85e55eee",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0683#AN1790",
+ "external_id": "AN1790"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1790",
+ "description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e.json
new file mode 100644
index 0000000000..8ee6bca4d9
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--6470b076-d738-4deb-93bb-5b3263f15121",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0615#AN1671",
+ "external_id": "AN1671"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1671",
+ "description": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3.json
new file mode 100644
index 0000000000..6b7c78f324
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--a7117569-c103-4c5b-b1fe-ec1244ad2293",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0635#AN1708",
+ "external_id": "AN1708"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1708",
+ "description": "Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.\nApplication vetting services may look for `MANAGE_ACCOUNTS` in an Android application\u2019s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e.json
new file mode 100644
index 0000000000..92273c7125
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--af3f48e3-b2e5-4e03-bef7-aa601c633412",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1732",
+ "external_id": "AN1732"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1732",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1.json
new file mode 100644
index 0000000000..64fa06f9f9
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--4f312c1f-e235-4f09-a82a-7afeaed82bb0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1756",
+ "external_id": "AN1756"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1756",
+ "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \nApplication vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53.json
new file mode 100644
index 0000000000..9aa0d98850
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--2c08a6c7-180e-47dd-a425-c4a379744857",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1821",
+ "external_id": "AN1821"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1821",
+ "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7.json
new file mode 100644
index 0000000000..4bfbbc1f93
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--ac0d0eda-2e02-4b51-9fcd-f688ca8e3e50",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0679#AN1783",
+ "external_id": "AN1783"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1783",
+ "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.\nOn both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2.json
new file mode 100644
index 0000000000..3ff4589f6b
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--e6e884a7-d181-459f-9823-2cbcb90f7f0b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1851",
+ "external_id": "AN1851"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1851",
+ "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613.json
new file mode 100644
index 0000000000..fa17cbc1fd
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--ab7d35cd-ccf5-4ff5-9f27-280024abe016",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1826",
+ "external_id": "AN1826"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1826",
+ "description": "The user can view and manage installed third-party keyboards.\nApplication vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0.json
new file mode 100644
index 0000000000..7b0735ee06
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--a9c1d40a-87dc-4553-9340-f17141d3dd1e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0629#AN1700",
+ "external_id": "AN1700"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1700",
+ "description": "Network traffic analysis may reveal processes communicating with malicious domains. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e.json
new file mode 100644
index 0000000000..4a59d09453
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b198ad79-4f0c-4a35-ae84-7c2c7df8b351",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0659#AN1749",
+ "external_id": "AN1749"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1749",
+ "description": "No standard detection method currently exists for this technique.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055.json
new file mode 100644
index 0000000000..acda7220f3
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--70d30b6b-bc2f-499e-9625-6742bdca4b87",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0681#AN1787",
+ "external_id": "AN1787"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1787",
+ "description": "The user can view permissions granted to an application in device settings. \nApplication vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7.json
new file mode 100644
index 0000000000..261db56244
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--58936087-c872-43d9-a92b-0e615e841709",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0613#AN1667",
+ "external_id": "AN1667"
+ },
+ {
+ "source_name": "unit42_strat_aged_domain_det",
+ "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
+ "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
+ },
+ {
+ "source_name": "Data Driven Security DGA",
+ "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+ "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1667",
+ "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a.json
new file mode 100644
index 0000000000..a248ae06be
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--d51657e6-ca83-4d26-9a81-df095f313858",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1852",
+ "external_id": "AN1852"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1852",
+ "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52.json
new file mode 100644
index 0000000000..c3de4e9d0b
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--d145c18d-4c2a-4e59-9cc3-5147ba14d7ad",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0716#AN1846",
+ "external_id": "AN1846"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1846",
+ "description": "The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2.json
new file mode 100644
index 0000000000..108a89c167
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--14db5d82-ebc3-4f01-91c1-9d9ec19ad2ed",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1721",
+ "external_id": "AN1721"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1721",
+ "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff.json
new file mode 100644
index 0000000000..adef93d19e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--f8199e42-8613-4793-8d8d-f68013de4e11",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0649#AN1730",
+ "external_id": "AN1730"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1730",
+ "description": "This behavior is seamless to the user and is typically undetectable.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838.json
new file mode 100644
index 0000000000..3219472b99
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--b286b2f5-0d53-4ee5-bc7b-afb5bfd7a798",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0693#AN1806",
+ "external_id": "AN1806"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1806",
+ "description": "The user can view a list of active device administrators in the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8.json
new file mode 100644
index 0000000000..dc5bd968d3
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--4be8ecbc-9f7f-4951-a4dc-3154a53acbd4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0622#AN1686",
+ "external_id": "AN1686"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1686",
+ "description": "Application vetting services could look for misuse of dynamic libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a.json
new file mode 100644
index 0000000000..7fcce32ca4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a.json
@@ -0,0 +1,63 @@
+{
+ "type": "bundle",
+ "id": "bundle--5b090d1d-9ee7-43a4-90bf-012232ce6a24",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1742",
+ "external_id": "AN1742"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1742",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829.json
new file mode 100644
index 0000000000..a9d5b307ef
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--4ea9af87-6c69-422e-8ca7-a0a9ca4aa0d1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0666#AN1761",
+ "external_id": "AN1761"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1761",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee.json
new file mode 100644
index 0000000000..e70281b56c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--222509cc-b44b-4813-9015-4e8e7d76d150",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1824",
+ "external_id": "AN1824"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1824",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f.json
new file mode 100644
index 0000000000..f12d5374b4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--08a96918-c3d7-41b0-9ce6-2b21a0555d69",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1677",
+ "external_id": "AN1677"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1677",
+ "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. \nMobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nApplication vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059.json
new file mode 100644
index 0000000000..4aa64ae96e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--f14a6bca-2a51-43f0-9506-6ea509926e04",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1828",
+ "external_id": "AN1828"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1828",
+ "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.\nApplication vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741.json
new file mode 100644
index 0000000000..26bcd9c53f
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--d06f9097-527c-485d-9916-45fb4fc5ebe7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0697#AN1812",
+ "external_id": "AN1812"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1812",
+ "description": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.\nThe user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service should be scrutinized further for malicious behavior. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d.json
new file mode 100644
index 0000000000..fed885ffa4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--69b5506e-7403-49e1-860e-4ee90302a2e0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1683",
+ "external_id": "AN1683"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1683",
+ "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685.json
new file mode 100644
index 0000000000..d04b251a2d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--00ae7f42-bb68-448c-b85e-5ed9e2aa9ed6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1752",
+ "external_id": "AN1752"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1752",
+ "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.\nOn Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22.json
new file mode 100644
index 0000000000..72d3e80270
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--738d1fe2-6faf-4433-be29-9319fa5c7a03",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1779",
+ "external_id": "AN1779"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1779",
+ "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34.json
new file mode 100644
index 0000000000..a39489cb56
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--8e24251e-b9dc-4b80-b9e7-c59a5177dfd3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1724",
+ "external_id": "AN1724"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1724",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644.json
new file mode 100644
index 0000000000..598116e7b6
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--14fe0c15-869e-4184-a2d9-94db49516b01",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1776",
+ "external_id": "AN1776"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1776",
+ "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. \nAndroid applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30.json
new file mode 100644
index 0000000000..9a47c66d35
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--50f541e6-075e-4398-aea3-7e18063b4972",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1675",
+ "external_id": "AN1675"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1675",
+ "description": "Many properly configured firewalls may naturally block command and control traffic.\nApplication vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db.json
new file mode 100644
index 0000000000..4d921c8f2c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--fb3b808f-ffe1-4681-bc73-1b9e988eafc9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1848",
+ "external_id": "AN1848"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1848",
+ "description": "Application vetting services could look for connections to unknown domains or IP addresses. \nApplication vetting services may indicate precisely what content was requested during application execution.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2.json
new file mode 100644
index 0000000000..02f73dd5ff
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--2d6ca41c-1ada-41e3-af79-eb663ea147b0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1784",
+ "external_id": "AN1784"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1784",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012.json
new file mode 100644
index 0000000000..0a7003e891
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--8e58c0b8-cc5b-494f-b4b5-c61957e05905",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0699#AN1815",
+ "external_id": "AN1815"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1815",
+ "description": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959.json
new file mode 100644
index 0000000000..144cf4ce42
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--45a49c0f-368e-4a66-b4ad-67cb2bffce72",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0656#AN1744",
+ "external_id": "AN1744"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1744",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86.json
new file mode 100644
index 0000000000..ea3d0e2b35
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--bf7461cf-6ae2-423c-ad92-c30027879eb7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1751",
+ "external_id": "AN1751"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1751",
+ "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.\nOn Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e.json
new file mode 100644
index 0000000000..8531365619
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--5fd9fd6a-3adf-4a29-820d-048335347da6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0619#AN1680",
+ "external_id": "AN1680"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1680",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec.json
new file mode 100644
index 0000000000..a88f43ee7e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--1dc7878e-75e5-4bf8-b262-ca92555dcf68",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0609#AN1661",
+ "external_id": "AN1661"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1661",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f.json
new file mode 100644
index 0000000000..3dceaceb2f
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--e30d2557-6768-4716-9d3d-748359be620c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0689#AN1800",
+ "external_id": "AN1800"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1800",
+ "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5.json
new file mode 100644
index 0000000000..041d1b5de0
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--8ec11b41-3881-484b-9fdb-f49354b8be1f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0656#AN1743",
+ "external_id": "AN1743"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1743",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c.json
new file mode 100644
index 0000000000..91c8f7b028
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--a0345cb9-d15a-4132-ad60-9482f9a23dcf",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1794",
+ "external_id": "AN1794"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1794",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612.json
new file mode 100644
index 0000000000..53a1fb8944
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--f20a2590-0867-4f03-89d0-567343eda904",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1726",
+ "external_id": "AN1726"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1726",
+ "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793.json
new file mode 100644
index 0000000000..6d315c21c7
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--906778e1-d16e-4182-a85b-a01282f85e91",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0714#AN1842",
+ "external_id": "AN1842"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1842",
+ "description": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine.\nApplication vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c.json
new file mode 100644
index 0000000000..077c53fa35
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--183a4863-ebc1-4540-bedf-a58b6b90dd0c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0640#AN1715",
+ "external_id": "AN1715"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1715",
+ "description": "Application vetting services could potentially detect the usage of APIs intended for artifact hiding.\nThe user can examine the list of all installed applications in the device settings. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a.json
new file mode 100644
index 0000000000..cb62948eab
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--9a519946-bf85-4a93-aa46-372f489b1b3d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1840",
+ "external_id": "AN1840"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1840",
+ "description": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e.json
new file mode 100644
index 0000000000..0a21f5aec1
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--ddfa7c86-97d0-42b7-b312-d31f6b9f2bc4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0712#AN1839",
+ "external_id": "AN1839"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1839",
+ "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.\nVerified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746.json
new file mode 100644
index 0000000000..7289e898e1
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--6a0efc46-08ac-4cd7-bbfe-78f8f1b9a436",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0636#AN1710",
+ "external_id": "AN1710"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1710",
+ "description": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd.json
new file mode 100644
index 0000000000..22b6c5d86e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--2af508c3-51f6-4275-8938-e5f6d3da2b32",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0681#AN1786",
+ "external_id": "AN1786"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1786",
+ "description": "The user can view permissions granted to an application in device settings. \nApplication vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc.json
new file mode 100644
index 0000000000..041c962283
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--c2844d6e-c917-480f-b494-af66107c9460",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1646",
+ "external_id": "AN1646"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1646",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff.json
new file mode 100644
index 0000000000..4850f58fe2
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--7de8bb55-a24a-43d1-8314-1bd57a49ade1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0629#AN1699",
+ "external_id": "AN1699"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1699",
+ "description": "Network traffic analysis may reveal processes communicating with malicious domains. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551.json
new file mode 100644
index 0000000000..b7a7e84d57
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--63dff889-82f5-431d-b899-afadd20070da",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1698",
+ "external_id": "AN1698"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1698",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e.json
new file mode 100644
index 0000000000..0e73f2a7fa
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--c1db3fe6-fb49-4dcf-b60d-ca8f22972c3a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1825",
+ "external_id": "AN1825"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1825",
+ "description": "The user can view and manage installed third-party keyboards.\nApplication vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb.json
new file mode 100644
index 0000000000..17c9a909a8
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--48d1b250-c335-4cc2-9c64-cfc1c8c3987d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1728",
+ "external_id": "AN1728"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1728",
+ "description": "Application vetting services can detect unnecessary and potentially abused location permissions.\nOn Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.\nApplication vetting services can detect unnecessary and potentially abused API calls.\nThe user can review which applications have location permissions in the operating system\u2019s settings menu.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--73d22490-4043-42d7-ad25-74e4a642bf6a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3.json
similarity index 51%
rename from mobile-attack/relationship/relationship--73d22490-4043-42d7-ad25-74e4a642bf6a.json
rename to mobile-attack/x-mitre-analytic/x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3.json
index fcc331a545..113bcbe238 100644
--- a/mobile-attack/relationship/relationship--73d22490-4043-42d7-ad25-74e4a642bf6a.json
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3.json
@@ -1,15 +1,19 @@
{
"type": "bundle",
- "id": "bundle--78d1779a-7aa8-4426-92f7-34bc92cfd28b",
+ "id": "bundle--ed9a429c-8d02-4ef7-b1bf-b566f30140fd",
"spec_version": "2.0",
"objects": [
{
- "type": "relationship",
- "id": "relationship--73d22490-4043-42d7-ad25-74e4a642bf6a",
- "created": "2023-03-20T18:41:45.186Z",
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1754",
+ "external_id": "AN1754"
+ },
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
@@ -19,14 +23,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:30.417Z",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1754",
"description": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
- "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b.json
new file mode 100644
index 0000000000..da722e9b52
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--7e6ab92a-c936-4ebe-a78e-efa0995110fc",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1785",
+ "external_id": "AN1785"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1785",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21.json
new file mode 100644
index 0000000000..5746f1f35b
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--2449a2b8-95df-456d-ae5a-cfa1aa230af9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0602#AN1651",
+ "external_id": "AN1651"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1651",
+ "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db.json
new file mode 100644
index 0000000000..1cc3aee356
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--4b40e7b3-f205-4f64-8408-b7b7c45db6d0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1653",
+ "external_id": "AN1653"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1653",
+ "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a.json
new file mode 100644
index 0000000000..8531f3471c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--f23dd007-4fcc-4cee-b98f-92b2851e3a87",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0602#AN1650",
+ "external_id": "AN1650"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1650",
+ "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e.json
new file mode 100644
index 0000000000..7405f0ae8a
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e899c411-8800-47a9-b99f-daa13f32507e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0696#AN1811",
+ "external_id": "AN1811"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1811",
+ "description": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0.json
new file mode 100644
index 0000000000..736f7e4a1c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--77c9d61a-f959-4076-b603-fc3a02083333",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0669#AN1765",
+ "external_id": "AN1765"
+ },
+ {
+ "source_name": "unit42_strat_aged_domain_det",
+ "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
+ "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
+ },
+ {
+ "source_name": "Data Driven Security DGA",
+ "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+ "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1765",
+ "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83.json
new file mode 100644
index 0000000000..7d744e6a9f
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--af5e4e81-580d-48ff-84bb-cbd647b4ba4e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1771",
+ "external_id": "AN1771"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1771",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69.json
new file mode 100644
index 0000000000..37ccefb512
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e1cc7b9d-8d43-4706-b68f-53dc7cfabbcb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1682",
+ "external_id": "AN1682"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1682",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543.json
new file mode 100644
index 0000000000..3edcf85e88
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--2d621990-2bd3-477f-836b-4c6ee3f57ff7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0624#AN1690",
+ "external_id": "AN1690"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1690",
+ "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91.json
new file mode 100644
index 0000000000..c23fd275a6
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--8929ffac-8e93-4b94-8f83-452ad3950634",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0709#AN1833",
+ "external_id": "AN1833"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1833",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07.json
new file mode 100644
index 0000000000..9eb018361e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07.json
@@ -0,0 +1,63 @@
+{
+ "type": "bundle",
+ "id": "bundle--03ab7d8c-4264-4358-930b-ec2acab81f94",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1741",
+ "external_id": "AN1741"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1741",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452.json
new file mode 100644
index 0000000000..259f28e504
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--b93e21d3-673d-45b4-a2fa-c3f6bffce2c7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0603#AN1652",
+ "external_id": "AN1652"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1652",
+ "description": "The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd.json
new file mode 100644
index 0000000000..1ad97eef27
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--b5751b19-ef0c-48d9-b234-4dacc662f850",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0599#AN1645",
+ "external_id": "AN1645"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1645",
+ "description": "The user can view the default SMS handler in system settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812.json
new file mode 100644
index 0000000000..076c0e72ba
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--99ee419c-4e7f-49a1-9e4d-2660651499dc",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1802",
+ "external_id": "AN1802"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1802",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f.json
new file mode 100644
index 0000000000..351cc736ee
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--1670031a-d14f-4b8b-9768-5589dbb4bf3f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1803",
+ "external_id": "AN1803"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1803",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728.json
new file mode 100644
index 0000000000..e972b1dbaa
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--59b6510d-153e-4b23-95d2-bc3fe14254e7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1770",
+ "external_id": "AN1770"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1770",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813.json
new file mode 100644
index 0000000000..c6a9a45daf
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--b6a2b9c8-7add-4d15-bb9a-bb4b938ad40b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0674#AN1775",
+ "external_id": "AN1775"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1775",
+ "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. \nOn both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926.json
new file mode 100644
index 0000000000..5b0d89ce99
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--72d544de-bb44-4281-9d34-02cfaf4dd645",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1676",
+ "external_id": "AN1676"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1676",
+ "description": "Many properly configured firewalls may naturally block command and control traffic.\nApplication vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046.json
new file mode 100644
index 0000000000..b4c00c2a55
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--e5a60125-9606-4fb8-917a-e4be74251366",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0686#AN1796",
+ "external_id": "AN1796"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1796",
+ "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a.json
new file mode 100644
index 0000000000..d9895a1916
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--92f623f9-4f56-4106-b24a-021b60c7272f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1753",
+ "external_id": "AN1753"
+ },
+ {
+ "source_name": "CSRIC5-WG10-FinalReport",
+ "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
+ "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1753",
+ "description": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32.json
new file mode 100644
index 0000000000..f1cefd72f5
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--91e5ea21-6401-4a28-ae87-840804523165",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0664#AN1757",
+ "external_id": "AN1757"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1757",
+ "description": "Mobile security products can potentially detect jailbroken devices.\nApplication vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e.json
new file mode 100644
index 0000000000..9ddd2d0753
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--31598e79-81a0-4f7d-8728-1f936fa79310",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0710#AN1835",
+ "external_id": "AN1835"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1835",
+ "description": "Mobile security products can use attestation to detect compromised devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07.json
new file mode 100644
index 0000000000..078170ad07
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--fba80350-8901-4d8d-abe0-bab816d95c76",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0715#AN1843",
+ "external_id": "AN1843"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1843",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d.json
new file mode 100644
index 0000000000..57b19c8501
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--2557d654-2d49-43a2-9d07-c36aa8f4ddff",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1678",
+ "external_id": "AN1678"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1678",
+ "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. \nMobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nApplication vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960.json
new file mode 100644
index 0000000000..df12c56a0d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--91bc5fd6-c445-4fe7-8c0b-a0861e785a63",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1827",
+ "external_id": "AN1827"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1827",
+ "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.\nApplication vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f.json
new file mode 100644
index 0000000000..dfa181d64c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--14427968-3c23-4401-a79e-1a003b6da6cb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1684",
+ "external_id": "AN1684"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1684",
+ "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef.json
new file mode 100644
index 0000000000..51b80efcb4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--5e6801e7-34b2-4465-b102-3cc6640b3fa9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1841",
+ "external_id": "AN1841"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1841",
+ "description": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c.json
new file mode 100644
index 0000000000..d57da5b81e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--3d621bdb-f557-49fb-af82-36d7b0460132",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1853",
+ "external_id": "AN1853"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1853",
+ "description": "Application vetting services can detect malicious code in applications.\nSystem partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa.json
new file mode 100644
index 0000000000..fd2865ec11
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--683574de-8933-4989-a10b-57d6b19e2633",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0657#AN1745",
+ "external_id": "AN1745"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1745",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466.json
new file mode 100644
index 0000000000..47f09f007b
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e70121f9-e108-42b5-8c90-1132a3c2290e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1767",
+ "external_id": "AN1767"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1767",
+ "description": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f.json
new file mode 100644
index 0000000000..95e2449aa3
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--bf129621-d6ae-43a1-84a0-a23a3f62f4e6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1713",
+ "external_id": "AN1713"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1713",
+ "description": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5.json
new file mode 100644
index 0000000000..ad59ebad19
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--cd9d9d89-be72-4c9a-8c51-9545cc82a164",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1647",
+ "external_id": "AN1647"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1647",
+ "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1.json
new file mode 100644
index 0000000000..fd857be468
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--e31ff78d-3aea-4f20-849d-8d62f1441127",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1817",
+ "external_id": "AN1817"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1817",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block bidirectional command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf.json
new file mode 100644
index 0000000000..ce64b6bd1d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--2cecb7ea-3ab0-4d00-8ea0-e3816601055d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1697",
+ "external_id": "AN1697"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1697",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd.json
new file mode 100644
index 0000000000..41b99be9ac
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--3d92abdc-4d70-4473-be1f-35cce28dd754",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0678#AN1781",
+ "external_id": "AN1781"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1781",
+ "description": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--64489abc-5c2f-4620-833d-9ac010040955.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106.json
similarity index 60%
rename from mobile-attack/relationship/relationship--64489abc-5c2f-4620-833d-9ac010040955.json
rename to mobile-attack/x-mitre-analytic/x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106.json
index d5c7992b4b..f730bd5fd2 100644
--- a/mobile-attack/relationship/relationship--64489abc-5c2f-4620-833d-9ac010040955.json
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106.json
@@ -1,15 +1,19 @@
{
"type": "bundle",
- "id": "bundle--f78746c1-14dd-4f89-8650-6bd236477ec7",
+ "id": "bundle--2819892c-4824-4684-84b7-20e021b0f186",
"spec_version": "2.0",
"objects": [
{
- "type": "relationship",
- "id": "relationship--64489abc-5c2f-4620-833d-9ac010040955",
- "created": "2023-08-14T16:19:54.684Z",
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106",
+ "created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
"external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0613#AN1668",
+ "external_id": "AN1668"
+ },
{
"source_name": "unit42_strat_aged_domain_det",
"description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
@@ -24,14 +28,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:49:07.649Z",
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1668",
"description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
- "relationship_type": "detects",
- "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
- "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": false,
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1.json
new file mode 100644
index 0000000000..0ee49b4365
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--0d96e4bf-c995-44db-85d7-746f4aaf2305",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1854",
+ "external_id": "AN1854"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1854",
+ "description": "Application vetting services can detect malicious code in applications.\nSystem partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6.json
new file mode 100644
index 0000000000..6754c20e20
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--2e3b17f3-9fdb-41cf-99d0-59b30790d55e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0625#AN1692",
+ "external_id": "AN1692"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1692",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211.json
new file mode 100644
index 0000000000..b8199392da
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--c1d63686-5f0e-4039-a31b-f6b9ae10a6f0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0634#AN1707",
+ "external_id": "AN1707"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1707",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9.json
new file mode 100644
index 0000000000..00c04b94bf
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--3126b532-def6-4046-9025-28e1066ad73b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0631#AN1702",
+ "external_id": "AN1702"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1702",
+ "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa.json
new file mode 100644
index 0000000000..6e6bd32181
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--579cfa87-726b-480a-a4d3-70a6d1fe1c43",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0635#AN1709",
+ "external_id": "AN1709"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1709",
+ "description": "Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.\nApplication vetting services may look for `MANAGE_ACCOUNTS` in an Android application\u2019s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25.json
new file mode 100644
index 0000000000..b78863fd9f
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--ed050025-cb1b-4bfe-8b12-34510c5043e3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1694",
+ "external_id": "AN1694"
+ },
+ {
+ "source_name": "Android-AppLinks",
+ "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+ "url": "https://developer.android.com/training/app-links/index.html"
+ },
+ {
+ "source_name": "IETF-OAuthNativeApps",
+ "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+ "url": "https://tools.ietf.org/html/rfc8252"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1694",
+ "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\nOn Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821.json
new file mode 100644
index 0000000000..e7a075917c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--c4595dac-29b6-49e5-bf95-afe82563b2e0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0608#AN1660",
+ "external_id": "AN1660"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1660",
+ "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. \nApplication vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec.json
new file mode 100644
index 0000000000..af0f9ece77
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec.json
@@ -0,0 +1,49 @@
+{
+ "type": "bundle",
+ "id": "bundle--ab71ef79-bdf7-4726-af4d-a1cebb3ecca7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0684#AN1791",
+ "external_id": "AN1791"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-24T14:49:38.837Z",
+ "name": "Analytic 1791",
+ "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.\nEnterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3.json
new file mode 100644
index 0000000000..89cd315e69
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--80bc3de7-a969-48a2-8b71-887d5458a132",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0677#AN1780",
+ "external_id": "AN1780"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1780",
+ "description": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6.json
new file mode 100644
index 0000000000..4e20e74a20
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--6b1ae0bc-34bf-47b2-827d-aac0a17050ae",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1793",
+ "external_id": "AN1793"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1793",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869.json
new file mode 100644
index 0000000000..762466c269
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--1dfddabc-7a2f-4f6b-9ab1-0b698ac737d2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0703#AN1822",
+ "external_id": "AN1822"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1822",
+ "description": "The user can review available call logs for irregularities, such as missing or unrecognized calls.\nThe user can view their default phone app in device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5.json
new file mode 100644
index 0000000000..4231cb8975
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--cd78397d-42df-4dba-9045-dced06ac1544",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1722",
+ "external_id": "AN1722"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1722",
+ "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84.json
new file mode 100644
index 0000000000..c09e0799c2
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--23a16cbe-f872-46a4-80b8-eb5833752315",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1731",
+ "external_id": "AN1731"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1731",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab.json
new file mode 100644
index 0000000000..c47c5f68ef
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--73871000-c976-413c-bb06-05c8c1903bed",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1849",
+ "external_id": "AN1849"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1849",
+ "description": "Application vetting services could look for connections to unknown domains or IP addresses. \nApplication vetting services may indicate precisely what content was requested during application execution.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400.json
new file mode 100644
index 0000000000..f65f3b1983
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--17f0b4a4-b381-4080-97ca-8da0cedf8ae3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0606#AN1656",
+ "external_id": "AN1656"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1656",
+ "description": "The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. \nApplication vetting services can look for applications that request permissions to Accessibility services or application overlay. \nMonitor for API calls that are related to GooglePlayServices. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202.json
new file mode 100644
index 0000000000..8e55fe398c
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202.json
@@ -0,0 +1,58 @@
+{
+ "type": "bundle",
+ "id": "bundle--4f78d5a4-275b-44be-add5-653d3d8b831a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1772",
+ "external_id": "AN1772"
+ },
+ {
+ "source_name": "Android Privacy Indicators",
+ "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
+ "url": "https://source.android.com/devices/tech/config/privacy-indicators"
+ },
+ {
+ "source_name": "iOS Mic Spyware",
+ "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
+ "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1772",
+ "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409.json
new file mode 100644
index 0000000000..1e70892901
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--a2e24ee7-447e-4258-8996-555859243fe1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0719#AN1850",
+ "external_id": "AN1850"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1850",
+ "description": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27.json
new file mode 100644
index 0000000000..d1f0d7266d
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--5906a7b9-087c-48f9-be7b-463e31e94a48",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0605#AN1655",
+ "external_id": "AN1655"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1655",
+ "description": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d.json
new file mode 100644
index 0000000000..4ba5b781d0
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--961504c8-7ac8-407a-9a57-3d01e17e8286",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0616#AN1674",
+ "external_id": "AN1674"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1674",
+ "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638.json
new file mode 100644
index 0000000000..e2430f431f
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--7f3cda40-5fa5-4844-b302-0fecc845d014",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0612#AN1666",
+ "external_id": "AN1666"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1666",
+ "description": "The user can view applications that have registered accessibility services in the accessibility menu within the device settings.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b.json
new file mode 100644
index 0000000000..ed8c82e6b8
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--340e5c0c-7f5c-4a3a-8034-e20a85e2262d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1663",
+ "external_id": "AN1663"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1663",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block one-way command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6.json
new file mode 100644
index 0000000000..e090486646
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--95bf9a45-076a-4fb5-875d-f3aa58164851",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1670",
+ "external_id": "AN1670"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1670",
+ "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6.json
new file mode 100644
index 0000000000..f9907d8b37
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--09f229c8-cd0a-4774-8ad6-35519ad8b41d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1664",
+ "external_id": "AN1664"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1664",
+ "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.\nMany properly configured firewalls may naturally block one-way command and control traffic.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+ "name": "Network Traffic",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2.json
new file mode 100644
index 0000000000..9eb6f004af
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--e0705474-6eef-4492-947e-da2d8d2fb2cb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0679#AN1782",
+ "external_id": "AN1782"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1782",
+ "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.\nOn both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2.json
new file mode 100644
index 0000000000..7463a9790e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--d3bbe679-05b7-4aa8-bff1-b3680d576cfc",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0687#AN1797",
+ "external_id": "AN1797"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1797",
+ "description": "Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)\nMobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3.json
new file mode 100644
index 0000000000..be65853aca
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--ff2fde16-63f3-4ed4-9d91-b1670713e59a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0627#AN1695",
+ "external_id": "AN1695"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1695",
+ "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. \nApplication vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26.json
new file mode 100644
index 0000000000..af052c1280
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--592cc27d-9072-4223-b9ac-57c98801c7ea",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1809",
+ "external_id": "AN1809"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1809",
+ "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.\nDuring the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c.json
new file mode 100644
index 0000000000..a40763be63
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--e4154284-9d8f-4103-874d-5c86dcc56dfb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1739",
+ "external_id": "AN1739"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1739",
+ "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9.json
new file mode 100644
index 0000000000..699413c6c4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--c893ce85-de8c-47be-8ab0-93696ea3d9c4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0709#AN1834",
+ "external_id": "AN1834"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1834",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e.json
new file mode 100644
index 0000000000..77f269b8c0
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--02076cd9-f0e5-4c95-91b7-5daafdb4a0d8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0701#AN1818",
+ "external_id": "AN1818"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1818",
+ "description": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f.json
new file mode 100644
index 0000000000..12cdf02612
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--d39b5e13-82d4-4586-8d8b-c3db6a23bae3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1755",
+ "external_id": "AN1755"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1755",
+ "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \nApplication vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614.json
new file mode 100644
index 0000000000..ae424c4603
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--d37e66bd-34eb-457c-85c5-d0f82d08e796",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1830",
+ "external_id": "AN1830"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1830",
+ "description": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1.json
new file mode 100644
index 0000000000..b6adde06b2
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--6c32efcd-cfe2-4b19-bbca-207e94afd80d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1681",
+ "external_id": "AN1681"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1681",
+ "description": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe.json
new file mode 100644
index 0000000000..58adc9fe06
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--af34f855-a291-4f86-9b20-ec5bb97f4fae",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0688#AN1798",
+ "external_id": "AN1798"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1798",
+ "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e.json
new file mode 100644
index 0000000000..a9c88727a4
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e.json
@@ -0,0 +1,63 @@
+{
+ "type": "bundle",
+ "id": "bundle--1fa5dfa5-233b-4f60-9542-4ec27c552922",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1657",
+ "external_id": "AN1657"
+ },
+ {
+ "source_name": "Samsung Knox Mobile Threat Defense",
+ "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.",
+ "url": "https://partner.samsungknox.com/mtd"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1657",
+ "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)\nMobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "name": "Process",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97.json
new file mode 100644
index 0000000000..58e6e779db
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--1361a0b6-17e8-417a-8f6e-4486a7f75f26",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1716",
+ "external_id": "AN1716"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1716",
+ "description": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d.json
new file mode 100644
index 0000000000..6839ef2555
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--d3363f38-efe6-452f-bd11-c840ff0f7763",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1777",
+ "external_id": "AN1777"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1777",
+ "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. \nAndroid applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6.json
new file mode 100644
index 0000000000..f506eed555
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--907bcf0e-0020-4fee-b6d6-dd3fe49c8cd7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0657#AN1746",
+ "external_id": "AN1746"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1746",
+ "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f.json
new file mode 100644
index 0000000000..d6857fc102
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--73beb21b-e235-43d5-88f3-6dc74df4ce61",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0696#AN1810",
+ "external_id": "AN1810"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1810",
+ "description": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782.json
new file mode 100644
index 0000000000..7f5331e115
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--f596fc3e-ad35-4009-8831-4ccd6af958a6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0698#AN1813",
+ "external_id": "AN1813"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1813",
+ "description": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b.json
new file mode 100644
index 0000000000..c366922888
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--6ef4aca8-caea-44cc-b1e6-cdddc1c563b1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0634#AN1706",
+ "external_id": "AN1706"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1706",
+ "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73.json
new file mode 100644
index 0000000000..34abe9cdb2
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--68f8bd91-14c3-4650-a0f1-c57b32f6a76b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1758",
+ "external_id": "AN1758"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1758",
+ "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.\nApplication vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359.json
new file mode 100644
index 0000000000..9cc5727fdb
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--2e96b9ca-9cea-42b4-93bb-342e5e6899fb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0638#AN1712",
+ "external_id": "AN1712"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1712",
+ "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.\nThe user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4.json
new file mode 100644
index 0000000000..300fa0a0a5
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--89613e15-0f4d-40e8-8655-0c75b292801f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0711#AN1837",
+ "external_id": "AN1837"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1837",
+ "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092.json
new file mode 100644
index 0000000000..675e1cb565
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092.json
@@ -0,0 +1,53 @@
+{
+ "type": "bundle",
+ "id": "bundle--dee3d81d-5094-4f03-a1ca-cc2f588f9b5a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0712#AN1838",
+ "external_id": "AN1838"
+ },
+ {
+ "source_name": "Android-VerifiedBoot",
+ "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+ "url": "https://source.android.com/security/verifiedboot/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1838",
+ "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.\nVerified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+ "name": "Sensor Health",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1.json
new file mode 100644
index 0000000000..a5023510ff
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1.json
@@ -0,0 +1,48 @@
+{
+ "type": "bundle",
+ "id": "bundle--8c4da96a-8440-4ee8-b9fb-61bdbba9558c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0715#AN1844",
+ "external_id": "AN1844"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1844",
+ "description": "Unexpected behavior from an application could be an indicator of masquerading.\nApplication vetting services may potentially determine if an application contains suspicious code and/or metadata.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "iOS"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+ "name": "User Interface",
+ "channel": "None"
+ },
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-analytic/x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e.json b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e.json
new file mode 100644
index 0000000000..642ede7c8e
--- /dev/null
+++ b/mobile-attack/x-mitre-analytic/x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e.json
@@ -0,0 +1,43 @@
+{
+ "type": "bundle",
+ "id": "bundle--98afd253-e0bc-43fa-8b50-360d25857ced",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-analytic",
+ "id": "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1823",
+ "external_id": "AN1823"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Analytic 1823",
+ "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_platforms": [
+ "Android"
+ ],
+ "x_mitre_log_source_references": [
+ {
+ "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
index 130c372c5d..0dcba622a5 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f5dc2949-9101-490f-8793-9bbcd42302b6",
+ "id": "bundle--719d2f5a-d8a7-4ce0-b11e-73ce8a047150",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,19 @@
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0082",
+ "external_id": "DC0082"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:23.639Z",
+ "modified": "2025-10-21T15:14:34.190Z",
"name": "Network Connection Creation",
"description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
- "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +29,414 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound connection to 169.254.169.254 from EC2 workload"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=3"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "connection attempts"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "System service interactions"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=3, 22"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "web domain alerts"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=22"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "netconnect"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events/socket_events"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Outbound Connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "connection open"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "New outbound connection from Safari/Chrome/Firefox/Word"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "open or connect"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execution of trusted tools interacting with external endpoints"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "EventCode=22"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational",
+ "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "proxy or TLS inspection logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network connection events"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "protocol egress"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connection to *.tunnels.api.visualstudio.com or *.devtunnels.ms"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connections to *.devtunnels.ms or tunnels.api.visualstudio.com"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTPs connection to tunnels.api.visualstudio.com"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=5156"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=5156,5157"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "family=AF_PACKET or protocol raw; process name not in allowlist."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "First outbound connection from the same PID/user shortly after an inbound trigger."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection: TCP connections to ports 139/445 to multiple hosts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection: SMB connections to multiple internal hosts"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect/sendto"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT"
+ },
+ {
+ "name": "snmp:access",
+ "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Service initiated connections"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "High outbound traffic from new region resource"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound HTTP/S initiated by newly installed interpreter process"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "outbound connections to RMM services or to unusual destination ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network sessions initiated by remote desktop apps"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound connections to port 22, 3389"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect with TLS context by unexpected process"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port."
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change"
+ },
+ {
+ "name": "cni:netflow",
+ "channel": "outbound connection to internal or external APIs"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd or network_events"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Dynamic route changes"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New egress to Internet by the same UID/host shortly after terminal exec"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection: Inbound connections to SSH or VPN ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Inbound connections to VNC/SSH ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "External access to container ports (2375, 6443)"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "network"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events + launchd"
+ },
+ {
+ "name": "esxi:esxupdate",
+ "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "socket connect"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "remote access"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound Connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Traffic observed on mirror destination instance"
+ },
+ {
+ "name": "networkdevice:Flow",
+ "channel": "Traffic from mirrored interface to mirror target IP"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "EventCode=3"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events, socket_events"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection attempts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "sendto/connect"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "outbound connections from host during or immediately after image build"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Outbound Traffic"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Service-Based Network Connection"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "postfix/smtpd"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "new outbound connection from browser/office lineage"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "new outbound connection from exploited lineage"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "outbound connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "None"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "networkd or socket"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/bind: Process binds to a new local port shortly after knock"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Closed-port hits followed by success from same src_ip"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig",
+ "channel": "8001, 8002, 8003"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "New Wi-Fi connection established or repeated association failures"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Association and authentication events including failures and new SSIDs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network session initiation with external HTTPS services"
+ },
+ {
+ "name": "WinEventLog:System",
+ "channel": "EventCode=8001"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "None"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "openat,connect -k discovery"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected inbound/outbound TFTP traffic for device image files"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
index 8a5ca7abfb..ad562a5447 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--37ea4127-b2ea-4313-86c9-30cb82b10d73",
+ "id": "bundle--6b2ed644-47ac-4bc8-b030-345ee8752fe7",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,19 @@
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0085",
+ "external_id": "DC0085"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:16.672Z",
+ "modified": "2025-10-21T15:14:34.343Z",
"name": "Network Traffic Content",
"description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
- "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +29,966 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "Process within container accesses link-local address 169.254.169.254"
+ },
+ {
+ "name": "WebProxy:AccessLogs",
+ "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mqtt.log / xmpp.log (custom log feeds)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mqtt.log or AMQP custom log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mqtt.log, xmpp.log, amqp.log"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "ACL/Firewall rule modification or new route injection"
+ },
+ {
+ "name": "m365:office",
+ "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP/UDP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP session tracking"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Captured packet payloads"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "session behavior"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "External C2 channel over TLS"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http/file-xfer: Inbound/outbound transfer of ELF shared objects"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, files.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "unexpected network activity initiated shortly after shell session starts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP/WebDAV requests that contain NTLMSSP or PROPFIND/MOVE/OPTIONS with Authorization: NTLM"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, ssl.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SPAN or port-mirrored HTTP/S"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, ssl.log, websocket.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process + network metrics correlation for bandwidth saturation"
+ },
+ {
+ "name": "docker:stats",
+ "channel": "unusual network TX/RX byte deltas"
+ },
+ {
+ "name": "etw:Microsoft-Windows-WinINet",
+ "channel": "HTTPS Inspection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Query to suspicious domain with high entropy or low reputation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "DNS query with pseudo-random subdomain patterns"
+ },
+ {
+ "name": "azure:vpcflow",
+ "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Browser connections to known C2 or dynamic DNS domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Session History Reset"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP "
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network flow"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "curl|wget|python .*http"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "curl|osascript.*open location"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes"
+ },
+ {
+ "name": "etw:Microsoft-Windows-NDIS-PacketCapture",
+ "channel": "TLS Handshake/Network Flow"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP/TLS Logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem: com.apple.network"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unexpected SQL or application log entries showing tampered or malformed data"
+ },
+ {
+ "name": "EDR:hunting",
+ "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "open URL|clicked link|LSQuarantineAttach"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious GET/POST; downloader patterns"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SSH logins or scp activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "remote login and transfer"
+ },
+ {
+ "name": "esxi:vob",
+ "channel": "NFS/remote access logs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Traffic between instances"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log"
+ },
+ {
+ "name": "WinEventLog:System",
+ "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP payloads with SQLi/LFI/JNDI/deserialization indicators"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "outbound egress from web host after suspicious request"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Requests towards cloud metadata or command & control from pod IPs"
+ },
+ {
+ "name": "ALB:HTTPLogs",
+ "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "NetFlow/sFlow for odd egress to Internet from mgmt plane"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "packet capture or DPI logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unusual Base64-encoded content in URI, headers, or POST body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Base64 strings or gzip in URI, headers, or POST body"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "HTTP POST with encoded content in user-agent or cookie field"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Outbound traffic using encoded payloads post-login"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound connections to monitored service ports from external or unusual internal sources; rapid follow-on lateral connections from the same host."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound to tcp/427 (OpenSLP), tcp/443 (vSphere APIs), tcp/902, tcp/5989 followed by new unexpected outbound sessions from the ESXi/vCenter host."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound to 22/5900/8080 and follow-on internal connections."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP body contains long Base64 sections"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: Base64/MIME looking payloads from ESXi host IP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "LDAP Bind/Search"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "LDAP Query"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream (subsystem: com.apple.system.networking)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "smtp.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "smtp.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "remote CLI session detection"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Encrypted connection with anomalous payload entropy"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "Socket sessions with randomized payloads inconsistent with TLS"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Symmetric encryption detected without TLS handshake sequence"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.log, ftp.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "PCAP inspection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large HTTPS POST requests to webhook endpoints"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "HTTPS POST connections to webhook endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed \u2264TimeWindow by outbound SF from same host to src_ip."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow."
+ },
+ {
+ "name": "networkdevice:config",
+ "channel": "NAT table modification (add/update/delete rule)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large upload to firmware interface port or path"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::response: HTTP responses with suspicious content-type for scripts, long obfuscated javascript bodies, or redirects to exploit kit domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "TLS handshake + HTTP headers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log + http.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network, socket, and http logs"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "TLS/HTTP inspection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture"
+ },
+ {
+ "name": "container:proxy",
+ "channel": "outbound/inbound network activity from spawned pods"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "listening sockets bound to non-standard ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Session Transfer Content"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Captured File Content"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "C2 exfiltration"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Transferred file observations"
+ },
+ {
+ "name": "apache:access_log",
+ "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Observed downgrade in negotiated cipher suites or TLS/SSH versions across sessions"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New egress from container IP/namespace to Internet or non-approved CIDRs/ASNs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot"
+ },
+ {
+ "name": "docker:events",
+ "channel": "remote API calls to /containers/create or /containers/{id}/start"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Integrity mismatch warnings or malformed packets detected"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http::request: Outbound HTTP initiated by Python interpreter"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "Outbound requests with forged tokens/cookies in headers"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "DNS response IPs followed by connections to non-standard calculated ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "DNS responses followed by connections to ports outside standard ranges"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Persistent outbound traffic to mining domains"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Encrypted session initiation by unexpected binary"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Abnormal certificate chains or non-standard ports carrying TLS"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large HTTPS POST requests to text storage domains"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "HTTPS POST connections to pastebin-like domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TLS downgrade or inconsistent DNS answers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure"
+ },
+ {
+ "name": "networkconfig ",
+ "channel": "interface flag PROMISC, netstat | ip link | ethtool"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "eventMessage = 'promiscuous'"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "config change (e.g., logging buffered, pcap buffers)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound HTTPS connections to code repository APIs"
+ },
+ {
+ "name": "azure:activity",
+ "channel": "networkInsightsLogs"
+ },
+ {
+ "name": "gcp:audit",
+ "channel": "network.query*"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+ "channel": "Unusual external domain access"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log or http.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "dns: DNS labels with excessive length and restricted custom alphabets (e.g., base36 only) repeated frequently"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: suspicious long tokens with custom alphabets in body/headers"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http: HTTP bodies from ESXi host IPs containing long, non-standard tokens"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP(S) requests with User-Agents typical of PowerShell or curl from desktop; or URIs matching paste-inspired payload hosts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Egress to non-approved networks from host after terminal exec"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow/PCAP analysis for outbound payloads"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log + files.log + ssl.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "eventMessage = 'open', 'sendto', 'connect'"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTPS or custom protocol traffic with large payloads"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network stack module logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected script or binary content returned in HTTP response body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Injected content responses with unexpected script/malware signatures"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface"
+ },
+ {
+ "name": "saas:confluence",
+ "channel": "REST API access from non-browser agents"
+ },
+ {
+ "name": "Netfilter/iptables",
+ "channel": "Forwarded packets log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Relay patterns across IP hops"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Outbound encrypted traffic"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ldap.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dns-sd, mDNSResponder, socket activity"
+ },
+ {
+ "name": "networkdevice:IDS",
+ "channel": "content inspection / PCAP / HTTP body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Probe responses from unauthorized APs responding to client probe requests"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "setsockopt, ioctl modifying ARP entries"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Excessive gratuitous ARP replies on local subnet"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inbound HTTP POST with suspicious payload size or user-agent"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "POST requests to .php, .jsp, .aspx files with high entropy body"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "dns.log"
+ },
+ {
+ "name": "NSM:FLow",
+ "channel": "dns.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Encrypted tunnels or proxy traffic to non-standard destinations"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Suspicious traffic filtered or redirected by VM networking stack"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large transfer from management IPs to unauthorized host"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ftp.log, smb_files.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ftp.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "mirror/SPAN port"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ftp.log, conn.log, smb_files.log"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Multiple NXDOMAIN responses and high entropy domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SSL/TLS Inspection or PCAP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log, ssl.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process + network activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "http, dns, smb, ssl logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "dns, ssl, conn"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log, http.log, dns.log, ssl.log"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "icmp.log, weird.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "VMCI syslog entries"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "ICMP/UDP protocol anomaly"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "DHCP OFFER or ACK with unauthorized DNS/gateway parameters"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Multiple DHCP OFFER responses for a single DISCOVER"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "SSL/TLS Handshake Analysis"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP Header Metadata"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Network Capture TLS/HTTP"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "SSL Certificate Metadata"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "HTTP Header Metadata"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "TLS Fingerprint and Certificate Analysis"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "container egress to unknown IPs/domains"
+ },
+ {
+ "name": "gcp:vpcflow",
+ "channel": "first 5m egress to unknown ASNs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "HTTP Request Logging"
+ },
+ {
+ "name": "WinEventLog:iis",
+ "channel": "IIS Logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem=com.apple.WebKit"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssh connections originating from third-party CIDRs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssh/smb connections to internal resources from third-party devices"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Degraded encryption throughput or switch to weaker cipher suites compared to historical baselines"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log (for TLS handshake analysis), dns.log (tunneling indicators)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "host switch egress data"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound HTTP/S"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log - Certificate Analysis"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log, conn.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "ssl.log, x509.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)"
+ },
+ {
+ "name": "WIDS:AssociationLogs",
+ "channel": "Unauthorized AP or anomalous MAC address connection attempts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "encrypted outbound traffic carrying unexpected application data"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "listening sockets bound with non-standard encapsulated protocols"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Persistent outbound connections with consistent periodicity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "TLS connections with abnormal handshake sequence or self-signed cert"
+ },
+ {
+ "name": "esxcli:network",
+ "channel": "Socket inspection showing RSA key exchange outside baseline endpoints"
+ },
+ {
+ "name": "IDS:TLSInspection",
+ "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound TLS connections to cloud storage providers"
+ },
+ {
+ "name": "saas:box",
+ "channel": "API calls exceeding baseline thresholds"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound HTTPS connections to cloud storage APIs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer"
+ },
+ {
+ "name": "etw:Microsoft-Windows-WinINet",
+ "channel": "WinINet API telemetry"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process, network"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Unusual POST requests to admin or upload endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Suspicious POSTs to upload endpoints"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Authentication failures or unusual community string usage in SNMP queries"
+ },
+ {
+ "name": "API:ConfigRepoAudit",
+ "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads"
+ },
+ {
+ "name": "NSM:Content",
+ "channel": "Traffic on RPC DRSUAPI"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
index 074fe3afab..57b86ca81c 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0ba9be01-c300-440d-ad65-854e77a0499d",
+ "id": "bundle--705c9d84-33d9-4141-b5f2-1fac921b62fc",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,20 @@
"created": "2021-10-20T15:05:19.272Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/data-components/DC0032",
+ "external_id": "DC0032"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:10:27.797Z",
+ "modified": "2025-10-21T19:28:39.339Z",
"name": "Process Creation",
"description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - EDRs provide process telemetry, tracking execution flows and arguments.\n- Windows Event Logs:\n - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation): Provides detailed logging\n- Linux/macOS Monitoring:\n - AuditD (execve syscall): Logs process creation.\n - eBPF/XDP: Used for low-level monitoring of system calls related to process execution.\n - OSQuery: Allows SQL-like queries to track process events (process_events table).\n - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.\n- Network-Based Monitoring:\n - Zeek (Bro) Logs: Captures network-based process execution related to remote shells.\n - Syslog/OSSEC: Tracks execution of processes on distributed systems.\n- Behavioral SIEM Rules:\n - Monitor process creation for uncommon binaries in user directories.\n - Detect processes with suspicious command-line arguments. ",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+ "x_mitre_data_source_ref": "",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +30,1302 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream 'eventMessage contains pubsub or broker'"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=1"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Execution of binary resolved from $PATH not located in /usr/bin or /bin"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution path inconsistent with baseline PATH directories"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process_events"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of launchctl with suspicious arguments"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve network tools"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls to soffice.bin with suspicious macro execution flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process reading browser configuration paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec logs"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execve: Processes launched with LD_PRELOAD/LD_LIBRARY_PATH pointing to non-system dirs"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: Process execution context for loaders calling dlopen/dlsym"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "EXECVE"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execution of unexpected binaries during user shell startup"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launch of Terminal.app or shell with non-standard environment setup"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC with unusual parent-child process relationships from zsh"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of systemctl or service stop"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of launchctl or pkill"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process::exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of klist, kinit, or tools interacting with ccache outside normal user context"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Execution of non-standard binaries accessing Kerberos APIs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Electron-based binary spawning shell or script interpreter"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Electron app spawning unexpected child process"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/root/.ash_history or /etc/init.d/*"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls with high-frequency or known bandwidth-intensive tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec or spawn calls to proxy tools or torrent clients"
+ },
+ {
+ "name": "containers:osquery",
+ "channel": "bandwidth-intensive command execution from within a container namespace"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process launch"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --info --predicate 'subsystem == \"com.apple.cfprefsd\"'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of security, sqlite3, or unauthorized binaries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected applications generating outbound DNS queries"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "EventCode=1"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected child process of Safari or Chrome"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or syscall invoking vm artifact check commands (e.g., dmidecode, lspci, dmesg)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of system_profiler, ioreg, kextstat with argument patterns related to VM/sandbox checks"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process writes or modifies files in excluded paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.mail.* exec.*"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of memory inspection tools (lldb, gdb, osqueryi)"
+ },
+ {
+ "name": "esxi:vobd",
+ "channel": "/var/log/vobd.log"
+ },
+ {
+ "name": "kubernetes:apiserver",
+ "channel": "kubectl exec or kubelet API calls targeting running pods"
+ },
+ {
+ "name": "docker:audit",
+ "channel": "Process execution events within container namespace context"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "process persists beyond parent shell termination"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "background process persists beyond user logout"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "process execution across cloud VM"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "systemctl spawning managed processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/shell.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec events where web process starts a shell/tooling"
+ },
+ {
+ "name": "docker:events",
+ "channel": "Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec of osascript, bash, curl with suspicious parameters"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "es_event_exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of discovery commands targeting backup binaries, processes, or config paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution logs showing discovery commands like mdfind, system_profiler, or launchctl list"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events OR launchd"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd or process_events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process and file events via log stream"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of scripts or binaries spawned from browser processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Browser processes launching unexpected interpreters (osascript, bash)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of defaults, plutil, or common editors (vim/nano) targeting plist files"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "EXECVE"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of bash, python, or perl processes spawned by browser/email client"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of osascript, bash, or Terminal initiated from Mail.app or Safari"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of /bin/sh,/bin/bash,/usr/bin/curl,/usr/bin/python by service accounts (e.g., apache, mysql, nobody) immediately after inbound network activity."
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "parent_name in ('sshd','httpd','screensharingd') spawning shells or scripting runtimes."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process activity stream"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "SYSCALL record where exe contains passwd/userdel/chage and auid != root"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Post-login execution of unrecognized child process from launchd or loginwindow"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process command line contains base64, -enc, openssl enc -base64"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: arguments contain Base64-like strings"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "commands containing base64, openssl enc -base64, xxd -p"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of process launched via loginwindow session restore"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: exec + filewrite: ~/.ssh/authorized_keys"
+ },
+ {
+ "name": "containerd:runtime",
+ "channel": "/var/log/containers/*.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Java apps or other processes with hidden window attributes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process Execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve on code or jetbrains-gateway with remote flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: code or jetbrains-gateway launching with --tunnel or --remote"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'processImagePath CONTAINS \"curl\" OR \"osascript\"'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of dd, shred, wipe targeting block devices"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of sleep or ping command within script interpreted by bash/python"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or socket/connect system calls from processes using crypto libraries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process using AES/RC4 routines unexpectedly"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "execution of known firewall binaries"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "execve: command like 'date', 'timedatectl', 'hwclock', 'cat /etc/timezone'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: binary == \"/usr/sbin/systemsetup\" and args contains \"-gettimezone\""
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve: command LIKE '%systemsetup -gettimezone%' OR '%date%'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of osascript, curl, or unexpected automation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec /usr/bin/pwpolicy"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket(AF_PACKET|AF_INET, SOCK_RAW, *), setsockopt(\u2026 SO_ATTACH_FILTER|SO_ATTACH_BPF \u2026), bpf(cmd=BPF_PROG_LOAD), open/openat path=\"/dev/bpf*\" (BSD/macOS-like) or setcap cap_net_raw."
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "KERN messages about eBPF program load/verify or LSM denials related to bpf."
+ },
+ {
+ "name": "OpenBSM:AuditTrail",
+ "channel": "open/openat of /dev/bpf*; ioctl BIOCSETF-like operations."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Exec of tcpdump, rvictl, custom tools linked to libpcap.A.dylib; sysextd/systemextensionsctl events for NetworkExtension content filters."
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "/usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of known flash tools (e.g., flashrom, fwupd)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.firmwareupdater activity or update-firmware binary invoked"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec or spawn of 'system_profiler', 'ioreg', 'kextstat', 'sysctl', or calls to sysctl API"
+ },
+ {
+ "name": "macos:endpointSecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve: Processes unexpectedly invoking Keychain or authentication APIs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: execve calls where a browser/webview process is parent and child is interpreter (python, sh, ruby) or downloader (curl, wget)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process_create: Process creation where parent is Safari/Google Chrome and child is script interpreter or signed-but-unusual helper binary"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "None"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:launch"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Shell commands invoked by SQL process such as postgres, mysqld, or mariadbd"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of \"sharing -l\", \"smbutil view\", \"mount_smbfs\""
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of scp, rsync, curl with remote destination"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "logMessage contains pbpaste or osascript"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process launch of diskutil or system_profiler with SPStorageDataType"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "execution of esxcli with args matching 'storage', 'filesystem', 'core device list'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Mail.app executing with parameters updating rules state"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/vmkernel.log, /var/log/vmkwarning.log"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera"
+ },
+ {
+ "name": "kubernetes:apiserver",
+ "channel": "exec into pod followed by secret retrieval via API"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process_name IN (\"VBoxManage\", \"prlctl\") AND command CONTAINS (\"list\", \"show\")"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec srm|exec openssl|exec gpg"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Process execution with LD_PRELOAD or modified library path"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of process with DYLD_INSERT_LIBRARIES set"
+ },
+ {
+ "name": "linux:Sysmon",
+ "channel": "process creation events linked to container namespaces executing host-level binaries"
+ },
+ {
+ "name": "WinEventlog:Security",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process and signing chain events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchservices events for misleading extensions"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "Execution of disguised binaries"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process listening or connecting on non-standard ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd services binding to non-standard ports"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, connect"
+ },
+ {
+ "name": "esxi:cron",
+ "channel": "process or cron activity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of binaries with unsigned or anomalously signed certificates"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve logging for /usr/bin/systemctl and systemd-run"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Invocation of osascript or dylib injection"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of files saved in mail or download directories"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Terminal, osascript, or other interpreters originating from Mail or Preview"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process events"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of CLI tools like psql, mysql, mongo, sqlite3"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process start of Java or native DB client tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "loginwindow or tccd-related entries"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "query: process_events, launchd, and tcc.db access"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "process execution or network connect from just-created container PID namespace"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of pip, npm, gem, or similar package managers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Command line invocation of pip3, brew install, npm install from interactive Terminal"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "fork/exec of service via PID 1 (systemd)"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of ssh/scp/sftp without corresponding authentication log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of ssh or sftp without corresponding login event"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: execve where exe=/usr/bin/python3 or similar interpreter"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launch of remote desktop app or helper binary"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected processes making network calls based on DNS-derived ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl spawning new processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl activity and process creation"
+ },
+ {
+ "name": "containerd:events",
+ "channel": "New container with suspicious image name or high resource usage"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Python, Swift, or other binaries invoking archiving libraries"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Processes linked with libssl or crypto libraries making outbound connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process invoking SSL routines from Security framework"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of binaries located in /etc/init.d/ or systemd service paths"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of binary listed in newly modified LaunchAgent plist"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of bless or nvram modifying boot parameters"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected processes registered with launchd"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process launch"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of curl, osascript, or unexpected Office processes"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "exec"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Trust validation failures or bypass attempts during notarization and code signing checks"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "spawned shell or execution environment activity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process_exec: image in {/bin/bash,/bin/zsh,/usr/bin/osascript,/usr/bin/python*,/usr/bin/curl,/usr/bin/ssh,/usr/bin/open} AND parent in {Preview, TextEdit, Microsoft Word, Microsoft Excel, AdobeReader, Archive Utility, Finder}"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: exe in {/bin/bash,/bin/sh,/usr/bin/python*,/usr/bin/perl,/usr/bin/php,/usr/bin/node,/usr/bin/curl,/usr/bin/wget,/usr/bin/xdg-open,/usr/bin/ssh,/usr/bin/rundll32 (wine)} AND ppid process is a document viewer/browser"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of dd/sgdisk with arguments writing to sector 0 or partition table"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of zip, ditto, hdiutil, or openssl by processes not normally associated with archiving"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for chmod, chown, chflags with unusual parameters or targets"
+ },
+ {
+ "name": "m365:defender",
+ "channel": "AdvancedHunting(DeviceEvents, ProcessCreate, ImageLoad, AMSI/ETW derived signals)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execve or dylib load from memory without backing file"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands that alter firewall or start listeners: iptables|nft|ufw|firewall-cmd|pfctl|systemctl start sshd/telnet/dropbear; raw-socket/libpcap tools (tcpdump, tshark, nmap --raw)."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers."
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Shell Execution"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unusual child process tree indicating attempted recovery after crash"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of binaries/scripts presenting false health messages for security daemons"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of processes mimicking Apple Security & Privacy GUIs"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Security-Auditing",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, setifflags"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events where path like '%tcpdump%'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of dd, shred, or wipe with arguments targeting block devices"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "systemctl stop auditd, kill -9 , or modifications to /etc/selinux/config"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of curl, git, or Office processes with network connections"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream - process subsystem"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls for qemu-system*, kvm, or VBoxHeadless"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process execution for VBoxHeadless, prl_vm_app, vmware-vmx"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process logs"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "command line or log output shows non-standard encoding routines"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "commands containing long non-standard tokens or custom lookup tables"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of /usr/sbin/installer spawning child process from within /private/tmp or package contents"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of dpkg or rpm followed by fork/execve from within postinst, prerm, etc."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execve: Helper tools invoked through XPC executing unexpected binaries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of modified binary without valid signature"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: exe in (/usr/bin/bash,/usr/bin/sh,/usr/bin/zsh,/usr/bin/python*) AND cmdline matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64\\s*-d|python\\s*-c'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: ParentImage in (Terminal, iTerm2) AND Image in (/bin/zsh,/bin/bash,/usr/bin/python*) AND CommandLine matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64 -D|python -c'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process created with repeated ICMP or UDP flood behavior"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "binary execution of security_authtrampoline"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: exec"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Exec"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Child processes of Safari, Chrome, or Firefox executing scripting interpreters"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of older or non-standard interpreters"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process execution events for permission modification utilities with command-line analysis"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for chmod, chown, chflags with parameter analysis and target path examination"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process execution monitoring for permission modification utilities with command-line argument analysis"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Invocation of packet generation tools (e.g., hping3, nping) or fork bombs"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Execution of flooding tools or compiled packet generators"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "process"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve for proxy tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process, socket, and DNS logs"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_events table"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Command line containing `trap` or `echo 'trap` written to login shell files"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log collect --predicate"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or nanosleep with no stdout/stderr I/O"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd or osascript spawns process with delay command"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "systemd-udevd spawning user-defined action from RUN+="
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:spawn"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'eventMessage contains \"exec\"'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "cat|less|grep accessing .bash_history from a non-shell process"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of dpkg, rpm, or other package manager with list flag"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of system_profiler or osascript invoking enumeration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "apache2 or nginx spawning sh, bash, or python interpreter"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "httpd spawning bash, zsh, python, or osascript"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of security or osascript"
+ },
+ {
+ "name": "WinEventLog:security",
+ "channel": "EventCode=4688"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd spawning processes tied to new or modified LaunchDaemon .plist entries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of ping, nping, or crafted network packets via bash or python to reflection services"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of commands modifying iptables/nftables to block selective IPs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "System process modifications altering DNS/proxy settings"
+ },
+ {
+ "name": "containerd:Events",
+ "channel": "unusual process spawned from container image context"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "curl, python scripts, rsync with internal share URLs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: spawn, exec"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process creation events where command line = pmset with arguments affecting sleep, hibernatemode, displaysleep"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected apps performing repeated DNS lookups"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchservices or loginwindow events"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve with LD_PRELOAD or linker-related environment variables set"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of process with DYLD_INSERT_LIBRARIES set"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious Swift/Objective-C or scripting processes writing archive-like outputs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of re-parented process"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Anomalous parent PID change"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process creation with parent PID of 1 (launchd)"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "child process invoking dynamic linker post-ptrace"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Processes executing kextload, spctl, or modifying kernel extension directories"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Unsigned or ad-hoc signed process executions in user contexts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of diskutil or hdiutil attaching hidden partitions"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process event monitoring with focus on discovery utilities and cryptographic framework usage correlation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unexpected apps generating frequent DNS queries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket: Suspicious creation of AF_UNIX sockets outside expected daemons"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Non-standard processes invoking financial applications or payment APIs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "systemctl enable/start: Creation/enablement of custom .service units in /etc/systemd/system"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process exec of remote-control apps or binaries with headless/connect flags"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of launchctl unload, kill, or removal of security agent daemons"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process activity, exec events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream process subsystem"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:exec and kext load events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --info --predicate 'eventMessage CONTAINS \"exec\"'"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-DotNETRuntime",
+ "channel": "Unexpected AppDomain creation events or anomalous AppDomainManager assembly load behavior"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of network stress tools or anomalies in socket/syscall behavior"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Unsigned binary execution following SIP change"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of binaries with TCC protected access under unexpected parent processes such as Finder.app, SystemUIServer, or nsurlsessiond"
+ },
+ {
+ "name": "WinEventLog:AppLocker",
+ "channel": "EventCode=8003,8004"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, unlink"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd, processes"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "socat, ssh, or nc processes opening unexpected ports"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution of ssh with -L/-R forwarding flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchd or cron spawning mining binaries"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve or socket/connect system calls for processes using RSA handshake"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process invoking SecKeyCreateRandomKey or asymmetric crypto APIs"
+ },
+ {
+ "name": "azure:vmguest",
+ "channel": "Unexpected execution of cloud agent processes (e.g., WindowsAzureGuestAgent.exe, ssm-agent) followed by arbitrary script or binary execution"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Script interpreter invoked by nginx/apache worker process"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of Office binaries with network activity"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launch of bash/zsh/python/osascript targeting key file locations"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of /sbin/emond with child processes launched"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "provider: ETW CreateProcess events linking msbuild.exe to suspicious children where standard logs are incomplete"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "shutdown -h now or reboot"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of Code.app, idea, JetBrainsToolbox, eclipse with install/extension flags"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis"
+ },
+ {
+ "name": "OpenBSM:AuditTrail",
+ "channel": "BSM audit events for process execution and system call monitoring during reconnaissance"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "host daemon events related to VM operations and configuration queries during reconnaissance"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "VMware kernel events for hardware and system configuration access during environmental validation"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "processes modifying environment variables related to history logging"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: parent process is usb/hid device handler, child process bash/python invoked"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of curl, rclone, or Office apps invoking network sessions"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Execution of kextstat, kextfind, or ioreg targeting driver information"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "exec events"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process creation involving binaries interacting with resource fork data"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process event"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of suspicious exploit binaries targeting security daemons"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "execve: Unsigned or unnotarized processes launched with high privileges"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "security OR injection attempts into 1Password OR LastPass"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json
index 6ae79d2886..47415c0bfc 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--74c91a9d-2800-4cbb-85ec-82b5a12b7cfb",
+ "id": "bundle--cf679bd9-9993-414f-825b-a42d5819e382",
"spec_version": "2.0",
"objects": [
{
@@ -9,20 +9,32 @@
"created": "2023-03-13T20:48:14.540Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0118",
+ "external_id": "DC0118"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:21.541Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "System Settings",
"description": "Settings visible to the user on the device",
- "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json
index 834f54f77b..5d0e05e9ff 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c710a33d-8d59-4ad0-aa06-72fbe060ed5c",
+ "id": "bundle--7a9a3185-4ab9-463d-bace-e131800aa39d",
"spec_version": "2.0",
"objects": [
{
@@ -9,20 +9,32 @@
"created": "2023-03-13T19:59:14.491Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0112",
+ "external_id": "DC0112"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:21.246Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "API Calls",
"description": "API calls utilized by an application that could indicate malicious activity",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json
index 29b0c2353a..8a2ece8813 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json
@@ -1,28 +1,40 @@
{
"type": "bundle",
- "id": "bundle--c5c77a0a-b0ec-4a5e-a679-00758632bbaf",
+ "id": "bundle--9198e8c7-a5a2-41fd-b548-20a1df43f951",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-03-29T14:59:30.164Z",
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+ "created": "2024-03-29T14:59:30.164Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0119",
+ "external_id": "DC0119"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Application Assets",
"description": "Additional assets included with an application",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
- "created": "2024-03-29T14:59:30.164Z",
- "revoked": false,
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
index 2d40d9eeaf..56800875f0 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c2a3691c-92b1-4849-b6e9-b04c8a42bdd5",
+ "id": "bundle--dc598021-ad4c-440e-b8d3-ab8bd418d1b6",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,19 @@
"created": "2021-10-20T15:05:19.272Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0033",
+ "external_id": "DC0033"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:10:34.519Z",
+ "modified": "2025-10-21T15:14:36.181Z",
"name": "Process Termination",
"description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor process termination events.\n- Windows Event Logs:\n - Event ID 4689 (Process Termination) \u2013 Captures when a process exits, including process ID and parent process.\n - Event ID 7036 (Service Control Manager) \u2013 Monitors system service stops.\n- Sysmon (Windows):\n - Event ID 5 (Process Termination) \u2013 Detects when a process exits, including parent-child relationships.\n- Linux/macOS Monitoring:\n - AuditD (`execve`, `exit_group`, `kill` syscalls) \u2013 Captures process termination via command-line interactions.\n - eBPF/XDP: Monitors low-level system calls related to process termination.\n - OSQuery: The processes table can be queried for abnormal exits.",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +29,62 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=5"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unexpected termination of daemons or critical services not aligned with admin change tickets"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "process_termination: Unexpected termination of processes tied to vulnerable or high-value services"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Log entries indicating VM powered off or forcibly terminated"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Terminal process killed (killall Terminal) immediately after sudoers modification"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "exit_group"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process.*exit.*code"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "unexpected termination of syslog or rsyslog processes"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Process segfault or abnormal termination after invoking vulnerable syscall sequence"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "kill syscalls targeting logging/security processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Termination of syspolicyd or XProtect processes"
+ },
+ {
+ "name": "docker:runtime",
+ "channel": "Termination of monitoring sidecar or security container"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
index a28a6013b7..eee451c27c 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca2b7094-eeb1-487c-863d-72b7773d8bc5",
+ "id": "bundle--548589d8-e581-4c1e-8554-3bd8433b7f69",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,19 @@
"created": "2021-10-20T15:05:19.273Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0064",
+ "external_id": "DC0064"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:30.145Z",
+ "modified": "2025-10-21T15:14:34.849Z",
"name": "Command Execution",
"description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.\n\nThis data component can be collected through the following measures:\n\nEnable Command Logging\n\n- Windows:\n - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockLogging -Value 1`\n - Enable Windows Event Logging:\n - Event ID 4688: Tracks process creation, including command-line arguments.\n - Event ID 4104: Logs PowerShell script block execution.\n- Linux/macOS:\n - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='history -a; history -w'`\n - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`\n- Containers:\n - Use runtime-specific tools like Docker\u2019s --log-driver or Kubernetes Audit Logs to capture exec commands.\n\nIntegrate with Centralized Logging\n\n- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:\n`index=windows EventID=4688 CommandLine=*`\n\nUse Endpoint Detection and Response (EDR) Tools\n\n- Monitor command executions via EDR solutions \n\nDeploy Sysmon for Advanced Logging (Windows)\n\n- Use Sysmon's Event ID 1 to log process creation with command-line arguments",
- "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +29,1170 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.2",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Command",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dsconfigad or dscl with create or append options for AD-bound users"
+ },
+ {
+ "name": "EDR:AMSI",
+ "channel": "None"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "/var/log/syslog or journalctl"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Get-ADTrust|GetAllTrustRelationships"
+ },
+ {
+ "name": "gcp:audit",
+ "channel": "None"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of script interpreters by systemd timer (ExecStart)"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "InvokeFunction"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Automated forwarding or file sync initiated by a logic app"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4104"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Suspicious script or command execution targeting browser folders"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "snapshot create/copy, esxcli"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands like systemctl stop , service stop, or kill -9 "
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl unload, kill, or pkill commands affecting daemons or background services"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of security-agent detection or enumeration commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox"
+ },
+ {
+ "name": "m365:messagetrace",
+ "channel": "Inbound email triggers execution of mailbox-stored custom form"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Use of mv or cp to rename files with '.' prefix"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of chflags hidden or SetFile -a V"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "interactive shell"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "CLI command"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "/var/log/vmkernel.log"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls to locale, timedatectl, or cat /etc/timezone"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "defaults read -g AppleLocale, systemsetup -gettimezone"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "profiles install -type=configuration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "sleep function usage or loops (nanosleep, usleep) in scripts"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests"
+ },
+ {
+ "name": "EDR:cli",
+ "channel": "Command Line Telemetry"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Command Audit / Configuration Change"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor",
+ "channel": "Outlook loading add-in via unexpected load path or non-default profile context"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=4104"
+ },
+ {
+ "name": "WinEventLog:Powershell",
+ "channel": "EventCode=4104"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "gcore, gdb, strings, hexdump execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect, execve, write"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "command execution"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd"
+ },
+ {
+ "name": "macos:syslog",
+ "channel": "system.log"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "/var/log/hostd.log"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/shell.log"
+ },
+ {
+ "name": "docker:daemon",
+ "channel": "docker exec or docker run with unexpected command/entrypoint"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve call including 'nohup' or trailing '&'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "nohup, disown, or osascript execution patterns"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "CommandLine=copy-item or robocopy from UNC path"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "invoked remote scripts (esxcli)"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execution of systemctl with subcommands start, stop, enable, disable"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Policy Update"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "None"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand"
+ },
+ {
+ "name": "gcp:audit",
+ "channel": "methodName: setIamPolicy, startInstance, createServiceAccount"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "modification of config files or shell command execution"
+ },
+ {
+ "name": "kubernetes:audit",
+ "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of 'profiles install -type=configuration'"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem:com.apple.Terminal"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "eventlog"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "shell access or job registration"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "PowerShell launched from outlook.exe or triggered without user invocation"
+ },
+ {
+ "name": "m365:messagetrace",
+ "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic"
+ },
+ {
+ "name": "linus:syslog",
+ "channel": "None"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103,4104"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "base64 or curl processes chained within short execution window"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "base64 or gzip use within shell session"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "chmod, execve"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "command includes dscl . delete or sysadminctl --deleteUser"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "file system activity monitor"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "ip ssh pubkey-chain"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "scripts or binaries with misleading names"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of GUI-related binaries with suppressed window/display flags"
+ },
+ {
+ "name": "linuxsyslog",
+ "channel": "nslcd or winbind logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "DS daemon log entries"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "logline inspection"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "diskutil eraseDisk / asr restore with destructive flags"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "erase flash:, erase startup-config, format disk"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command_exec"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: iptables, nft, firewall-cmd modifications"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "esxcli network firewall set commands"
+ },
+ {
+ "name": "docker:events",
+ "channel": "container exec rm|container stop --force"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "event stream"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "CLI command logs"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/var/log/shell.log entries containing \"esxcli system clock get\""
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "cmd: cmd=show clock detail"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl -X POST, wget --post-data"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "pwpolicy|PasswordPolicy"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "CLI command audit"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config"
+ },
+ {
+ "name": "m365:messagetrace",
+ "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Command line contains smbutil view //, mount_smbfs //"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Invocation of scp, rsync, curl, or sftp"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "scp/ssh used to move file across hosts"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "command line arguments containing lsblk, fdisk, parted"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log messages related to disk enumeration context or Terminal session"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls modifying local mail filter configuration files"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "None"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "None"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "None"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user"
+ },
+ {
+ "name": "docker:api",
+ "channel": "docker logs access or container inspect commands from non-administrative users"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "openssl|tar|dd"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "SSM RunCommand"
+ },
+ {
+ "name": "azure:activity",
+ "channel": "Intune PowerShell Scripts"
+ },
+ {
+ "name": "m365:exchange",
+ "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "boot logs"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "system boot logs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "defaults write com.apple.system.logging or logd manipulation"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "esxcli system syslog config set or reload"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: openssl pkcs12, certutil, keytool"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process calling security find-certificate, export, or import"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args"
+ },
+ {
+ "name": "m365:exchange",
+ "channel": "Get-RoleGroup, Get-DistributionGroup"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of systemctl or service with enable/start parameters"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of log show, fs_usage, or cat targeting system.log"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "CLI usage logs"
+ },
+ {
+ "name": "macos:syslog",
+ "channel": "/var/log/system.log"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of launchctl load/unload/start commands"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Exchange Cmdlets"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, USER_CMD"
+ },
+ {
+ "name": "auditd:USER_CMD",
+ "channel": "USER_CMD"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Command execution trace"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Command-line includes base64 -d or openssl enc -d"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "base64 -d or osascript invoked on staged file"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl -d, wget --post-data"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Processes executing sendmail/postfix with forged headers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "format flash:, format disk, reformat commands"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files"
+ },
+ {
+ "name": "networkdevice:Firewall",
+ "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "grep/cat/awk on files with password fields"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "grep/cat on files matching credential patterns"
+ },
+ {
+ "name": "kubernetes:audit",
+ "channel": "process execution involving curl, grep, or awk on secrets"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "command-line execution invoking credential enumeration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "promiscuous mode transitions (ioctl or ifconfig)"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "access to BPF devices or interface IOCTLs"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "exec command='monitor capture'"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Office-Alerts",
+ "channel": "Unexpected DLL or component loaded at Office startup"
+ },
+ {
+ "name": "m365:office",
+ "channel": "Startup execution includes non-default component"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "erase flash:, erase nvram:, format disk"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "esxcli system syslog config set --loghost='' or stopping hostd service"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "no logging buffered, no aaa new-model, disable firewall"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "git push, curl -X POST"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "command logging"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "command log"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "command logs"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "interactive shell logging"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "chattr, rm, shred, dd run on recovery directories or partitions"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command sequence: erase \u2192 format \u2192 reload"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process: at, job runner"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Interpreter exec with suspicious arguments as above"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of dscl . create with IsHidden=1"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sshd logs"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "Shell Access/Command Execution"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "CLI Command Logging"
+ },
+ {
+ "name": "auditd:CONFIG_CHANGE",
+ "channel": "udev rule reload or trigger command executed"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "Shell history logs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "command logging"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Command Execution"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "launchd + process_events"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "DCUI shell start, BusyBox activity"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "remote CLI + vim-cmd logging"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "CLI Command Audit"
+ },
+ {
+ "name": "m365:defender",
+ "channel": "Activity Log: Command Invocation"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "CmdletName: Get-Recipient, Get-User"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets"
+ },
+ {
+ "name": "linux:shell",
+ "channel": "Manual invocation of software enumeration commands via interactive shell"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Command line arguments including SPApplicationsDataType"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "ssm:GetCommandInvocation"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "esxcli software vib list"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "execution of setfattr or getfattr commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "xattr utility execution with -w or -p flags"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of tools like cat, grep, or awk on credential files"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of curl, rsync, wget with internal knowledge base or IPs"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "/root/.ash_history"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103,4104,4105, 4106"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of xev, xdotool, or input activity emulators"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl load or boot-time plist registration"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "command audit"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Interface commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dscl -create"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "esxcli system account add"
+ },
+ {
+ "name": "ebpf:syscalls",
+ "channel": "useradd or /etc/passwd modified inside container"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "kextload execution from Terminal or suspicious paths"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "Execution of PowerShell without -NoProfile flag"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "xattr -d com.apple.quarantine or similar removal commands"
+ },
+ {
+ "name": "azure:signinLogs",
+ "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Sudo or root escalation followed by filesystem mount commands"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4101"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4105"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4106"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "process title records containing discovery command sequences and environmental assessment patterns"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Set-Mailbox, New-InboxRule"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "Execution of chattr to set +i or +a attributes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of chflags hidden or setfile -a V"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "mv, rename, or chmod commands moving VM files into hidden directories"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "execution + payload hints"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process_events.command_line"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process:spawn, process:exec"
+ },
+ {
+ "name": "esxi:vobd",
+ "channel": "shell session start"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "shell command"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Office-Alerts",
+ "channel": "Office application warning or alert on macro execution from template"
+ },
+ {
+ "name": "m365:unified",
+ "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation"
+ },
+ {
+ "name": "m365:office",
+ "channel": "Execution of unsigned macro from template"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "Terminal Command History"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "csrutil disable"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log show --predicate 'process == '"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Privilege-level command execution"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection"
+ },
+ {
+ "name": "saas:PRMetadata",
+ "channel": "Commit message or branch name contains encoded strings or payload indicators"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "Unexpected restarts of management agents or shell access"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl or wget with POST/PUT options"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Detected CLI command to export key material"
+ },
+ {
+ "name": "networkdevice:config",
+ "channel": "PKI export or certificate manipulation commands"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "command execution triggered by emond (e.g., shell, curl, python)"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "esxcli, vim-cmd invocation"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "CLI session activity"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve=/sbin/shutdown or /sbin/reboot"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "esxcli system shutdown or reboot invoked"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "reload command issued"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=4103, 4104"
+ },
+ {
+ "name": "auditd:PROCTITLE",
+ "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration"
+ },
+ {
+ "name": "vpxd.log",
+ "channel": "VM inventory queries and configuration enumeration through vCenter API calls"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Set or unset HIST* variables in shell environment"
+ },
+ {
+ "name": "esxi:shell",
+ "channel": "unset HISTFILE or HISTFILESIZE modifications"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Commands like 'no logging' or equivalents that disable session history"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve calls to /usr/bin/locale or shell execution of $LANG"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "defaults read -g AppleLocale or systemsetup -gettimezone"
+ },
+ {
+ "name": "networkdevice:cli",
+ "channel": "Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'"
+ },
+ {
+ "name": "auditd:EXECVE",
+ "channel": "curl -T, rclone copy"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execution of systemctl or service with enable/start/modify"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "launchctl load/unload or plist file modification"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "syslog facility LOCAL7 or trap messages"
+ },
+ {
+ "name": "linux:cli",
+ "channel": "/home/*/.bash_history"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules"
+ },
+ {
+ "name": "networkdevice:config",
+ "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "dscl . -create"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "vCenter Management"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json
index 8f9a9fd0c2..4f0b045201 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3bf4d7c4-45a7-4b34-bea0-027947a1e016",
+ "id": "bundle--ac4a6424-ba0a-4dcb-a1dc-4b1ba163171d",
"spec_version": "2.0",
"objects": [
{
@@ -9,20 +9,32 @@
"created": "2023-03-13T20:00:38.029Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0115",
+ "external_id": "DC0115"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:22.260Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Protected Configuration",
"description": "Device configuration options that are not typically utilized by benign applications",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json
index 7ee18846a3..7554d926f3 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e73f3f8b-f7b3-481c-bfce-7f6e257d1d18",
+ "id": "bundle--e70f70ce-c87f-49e4-bd00-bb7dca349ee8",
"spec_version": "2.0",
"objects": [
{
@@ -9,20 +9,32 @@
"created": "2023-03-13T19:59:42.141Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0113",
+ "external_id": "DC0113"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:21.724Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Network Communication",
"description": "Network requests made by an application or domains contacted",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json
index 8c739bbfb9..8e95f3f4d3 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5ff95d3b-c2b9-4b70-9bc2-ae4ce520bc0a",
+ "id": "bundle--58fdd6a1-884d-4dac-b204-b5ed6a178046",
"spec_version": "2.0",
"objects": [
{
@@ -9,21 +9,185 @@
"created": "2021-10-20T15:05:19.272Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0018",
+ "external_id": "DC0018"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:16:18.582Z",
+ "modified": "2025-10-21T15:14:37.544Z",
"name": "Host Status",
"description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.",
- "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Sensor Health",
+ "channel": "None"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "interface_details "
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe)"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Web service process (e.g., httpd) entering crash loop or consuming excessive CPU"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "Sustained spike in CPU usage on EC2 instance with web service role"
+ },
+ {
+ "name": "WinEventLog:System",
+ "channel": "System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Out of memory killer invoked or kernel panic entries"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Spike in CPU or memory use from non-user-initiated processes"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3)"
+ },
+ {
+ "name": "kubernetes:events",
+ "channel": "CrashLoopBackOff, OOMKilled, container restart count exceeds threshold"
+ },
+ {
+ "name": "WinEventLog:Sysmon",
+ "channel": "EventCode=16"
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "High sustained CPU usage by a single process"
+ },
+ {
+ "name": "linux:procfs",
+ "channel": "Sustained high /proc/[pid]/stat usage"
+ },
+ {
+ "name": "CloudWatch:Metrics",
+ "channel": "Sustained EC2 CPU usage above normal baseline"
+ },
+ {
+ "name": "prometheus:metrics",
+ "channel": "Container CPU/Memory usage exceeding threshold"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Service stop or disable messages for security tools not reflected in SIEM alerts"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons"
+ },
+ {
+ "name": "CloudWatch:InstanceMetrics",
+ "channel": "NetworkOut spike beyond baseline"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-TCPIP",
+ "channel": "Connection queue overflow or failure to allocate TCP state object"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP: possible SYN flood or backlog limit exceeded"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "network stack resource exhaustion, tcp_accept queue overflow, repeated resets"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=1166, 7045"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "firmware_update, kexec_load"
+ },
+ {
+ "name": "journald:boot",
+ "channel": "Secure Boot failure, firmware version change"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "EFI firmware integrity check failed"
+ },
+ {
+ "name": "macos:syslog",
+ "channel": "Hardware UUID or device list drift"
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "Sudden spike in outbound throughput without corresponding inbound traffic"
+ },
+ {
+ "name": "sar:network",
+ "channel": "Outbound network saturation with minimal process activity"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "Sudden spike in network output without a corresponding inbound request ratio"
+ },
+ {
+ "name": "Windows:perfmon",
+ "channel": "Sudden spikes in CPU/Memory usage linked to specific application processes"
+ },
+ {
+ "name": "CloudMetrics:InstanceHealth",
+ "channel": "Autoscaling, memory/cpu alarms, or instance unhealthiness"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "System Integrity Protection (SIP) state reported as disabled"
+ },
+ {
+ "name": "AWS:CloudWatch",
+ "channel": "Unusual CPU burst or metric anomalies"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=1074"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=6006"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "system is powering down"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "System shutdown or reboot requested"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Powering off or restarting host"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "System reboot scheduled or performed"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
index ba266da2d8..27cf38e60d 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eabef953-9172-409c-ae77-361147ea4cdd",
+ "id": "bundle--5c9cb976-21ce-4ccf-9118-6cad5d7ae5e0",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,19 @@
"created": "2021-10-20T15:05:19.272Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0021",
+ "external_id": "DC0021"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:10:31.145Z",
+ "modified": "2025-10-21T15:14:36.999Z",
"name": "OS API Execution",
"description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Leverage tools to monitor API execution behaviors at the process level.\n - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.\n- Process Monitor (ProcMon):\n - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.\n- Windows Event Logs:\n - Use Event IDs from Windows logs for specific API-related activities:\n - Event ID 4688: A new process has been created (can indirectly infer API use).\n - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).\n- Dynamic Analysis Tools:\n - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.\n- Host-Based Logs:\n - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.\n- Runtime Monitors:\n - Runtime security tools like Falco can monitor system-level calls for API execution.\n- Debugging and Tracing:\n - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +29,286 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Base",
+ "channel": "GetLocaleInfoW, GetTimeZoneInformation API calls"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "GetMetadata, DescribeInstanceIdentity"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "open, execve: Unexpected processes accessing or modifying critical files"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ptrace, ioctl"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "API tracing / stack tracing via ETW or telemetry-based EDR"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc)"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "aaa privilege_exec"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "None"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "APCQueueOperations"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Invocation of SMLoginItemSetEnabled by non-system or recently installed application"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "flock|NSDistributedLock|FileHandle.*lockForWriting"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Directory-Services-SAM",
+ "channel": "api_call: Calls to DsAddSidHistory or related RPC operations"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "application logs referencing NSTimer, sleep, or launchd delays"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Rules capturing clock_gettime, time, gettimeofday syscalls when enabled"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance"
+ },
+ {
+ "name": "etw:Microsoft-Windows-RPC",
+ "channel": "rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "smb_command: TreeConnectAndX to \\\\*\\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "EventCode=4656"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Access decisions to kTCCServiceCamera for unexpected binaries"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "Objective\u2011C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "mmap, ptrace, process_vm_writev or direct memory ops"
+ },
+ {
+ "name": "WinEventLog:Application",
+ "channel": "API call to AddMonitor invoked by non-installer process"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Win32k",
+ "channel": "SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "unshare, mount, keyctl, setns syscalls executed by containerized processes"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "audio APIs"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-COM/Operational",
+ "channel": "CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.securityd, com.apple.tccd"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "send, recv, write: Abnormal interception or alteration of transmitted data"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "CALCULATE: Integrity validation of transmitted data via hash checks"
+ },
+ {
+ "name": "ETW:Token",
+ "channel": "token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "API Calls"
+ },
+ {
+ "name": "etw:Microsoft-Windows-DotNETRuntime",
+ "channel": "AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad"
+ },
+ {
+ "name": "auditd:MMAP",
+ "channel": "memory region with RWX permissions allocated"
+ },
+ {
+ "name": "snmp:trap",
+ "channel": "management queries"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "Describe* or List* API calls"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Win32k",
+ "channel": "SendMessage, PostMessage, LVM_*"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "sudo or pkexec invocation"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "authorization execute privilege requests"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "NtQueryInformationProcess"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "ptrace: Processes invoking ptrace with PTRACE_TRACEME flag"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "Remote access API calls and file uploads"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Execution of modified binaries or abnormal library load sequences"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "access or unlock attempt to keychain database"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Execution of input detection APIs (e.g., CGEventSourceKeyState)"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "mount system call with bind or remap flags"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "Decrypt"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-File",
+ "channel": "ZwSetEaFile or ZwQueryEaFile function calls"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "fork/clone/daemon syscall tracing"
+ },
+ {
+ "name": "fs:fsusage",
+ "channel": "Detached process execution with no associated parent"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ptrace, mmap, mprotect, open, dlopen"
+ },
+ {
+ "name": "ETW:ProcThread",
+ "channel": "api_call: CreateProcessWithTokenW, CreateProcessAsUserW"
+ },
+ {
+ "name": "EDR:memory",
+ "channel": "MemoryWriteToExecutable"
+ },
+ {
+ "name": "ETW:Token",
+ "channel": "api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Security-Auditing",
+ "channel": "api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "API calls"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ptrace, mmap, process_vm_writev"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve of dd or sed targeting /proc/*/mem"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx"
+ },
+ {
+ "name": "ETW",
+ "channel": "Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses"
+ },
+ {
+ "name": "EDR:file",
+ "channel": "SetFileTime"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
index e394deb1e1..365eb53889 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2496b24b-07c3-4ce5-aa20-5474d42364e8",
+ "id": "bundle--56179919-b6f4-482d-9b6f-cf38b0361c69",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,19 @@
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0078",
+ "external_id": "DC0078"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:20.168Z",
+ "modified": "2025-10-21T15:14:34.703Z",
"name": "Network Traffic Flow",
"description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.\n\n*Data Collection Measures:*\n\n- Network Flow Logs (Metadata Collection)\n - NetFlow \n - Summarized metadata for network conversations (no packet payloads).\n - sFlow (Sampled Flow Logging)\n - Captures sampled packets from switches and routers.\n - Used for real-time traffic monitoring and anomaly detection.\n - Zeek (Bro) Flow Logs\n - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.\n- Host-Based Collection\n - Sysmon Event ID 3 \u2013 Network Connection Initiated\n - Logs process-level network activity, useful for detecting malicious outbound connections.\n - AuditD (Linux) \u2013 syscall=connect\n - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Flow Monitoring\n - AWS VPC Flow Logs\n - Captures metadata for traffic between EC2 instances, security groups, and internet gateways.\n - Azure NSG Flow Logs / Google VPC Flow Logs\n - Logs ingress/egress traffic for cloud-based resources.",
- "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +29,630 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Network Traffic",
+ "channel": "None"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "socket_events"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected flows between segmented networks or prohibited ports"
+ },
+ {
+ "name": "snmp:config",
+ "channel": "Configuration change traps or policy enforcement failures"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time outbound connections to package registries or unknown hosts immediately after restore/build"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to new registries/CDNs post-install/build"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to non-approved registries after dependency install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connections to TCP 139,445 and HTTP/HTTPS to WebDAV endpoints from workstation subnets"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large outbound data flows or long-duration connections"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "egress > 90th percentile or frequent connection reuse"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "esxcli network vswitch or DNS resolver configuration updates"
+ },
+ {
+ "name": "esxi:vobd",
+ "channel": "Network Events"
+ },
+ {
+ "name": "iptables:LOG",
+ "channel": "TCP connections"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "connection metadata"
+ },
+ {
+ "name": "wineventlog:dhcp",
+ "channel": "DHCP Lease Granted"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "LEASE_GRANTED"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "MAC not in allow-list acquiring IP (DHCP)"
+ },
+ {
+ "name": "Windows Firewall Log",
+ "channel": "SMB over high port"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Internal connection logging"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "pf firewall logs"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "/var/log/vmkernel.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Inter-segment traffic"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Long-lived or hijacked SSH sessions maintained with no active user activity"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "VPC/NSG flow logs for pod/instance egress to Internet or metadata"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious outbound traffic from browser binary to non-standard domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Abnormal browser traffic volume or destination"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound requests to domains not previously resolved or associated with phishing campaigns"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic to domains/IPs not previously resolved, occurring shortly after attachment download or link click"
+ },
+ {
+ "name": "M365Defender:DeviceNetworkEvents",
+ "channel": "NetworkConnection: bytes_sent >> bytes_received anomaly"
+ },
+ {
+ "name": "PF:Logs",
+ "channel": "outbound flows with bytes_out >> bytes_in"
+ },
+ {
+ "name": "NSX:FlowLogs",
+ "channel": "network_flow: bytes_out >> bytes_in to external"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "NetFlow/Zeek conn.log"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound data flows"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow records with entropy signatures resembling symmetric encryption"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "flow records"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "flow records"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "HTTPS POST to known webhook URLs"
+ },
+ {
+ "name": "saas:api",
+ "channel": "Webhook registrations or repeated POST activity"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Source/destination IP translation inconsistent with intended policy"
+ },
+ {
+ "name": "SNMP:DeviceLogs",
+ "channel": "Unexpected NAT translation statistics or rule insertion events"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Sudden spike in incoming flows to web service ports from single/multiple IPs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Unusual volume of inbound packets from single source across short time interval"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "port 5900 inbound"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP port 5900 open"
+ },
+ {
+ "name": "NSM:firewall",
+ "channel": "inbound connection to port 5900"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "Outbound connections to 139/445 to multiple destinations"
+ },
+ {
+ "name": "VPCFlowLogs:All",
+ "channel": "High volume internal traffic with low entropy indicating looped or malicious DoS script"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "NetFlow/sFlow/PCAP"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound Network Flow"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "com.apple.network"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Device-to-Device Deployment Flows"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "socket/connect syscalls"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "outbound TCP/UDP traffic over unexpected port"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "ESXi service connections on unexpected ports"
+ },
+ {
+ "name": "iptables:LOG",
+ "channel": "OUTBOUND"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "tcp/udp"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "CLI network calls"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic from suspicious new processes post-attachment execution"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Suspicious anomalies in transmitted data integrity during application network operations"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "DNS resolution events leading to outbound traffic on unexpected ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic to mining pools or proxies"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Outbound flow logs to known mining pools"
+ },
+ {
+ "name": "container:cni",
+ "channel": "Outbound network traffic to mining proxies"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "TLS session established by ESXi service to unapproved endpoint"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Session records with TLS-like byte patterns"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "HTTPS POST requests to pastebin.com or similar"
+ },
+ {
+ "name": "NetFlow:Flow",
+ "channel": "new outbound connections from exploited process tree"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "new connections from exploited lineage"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Unexpected route changes or duplicate gateway advertisements"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
+ "channel": "EventCode=2004,2005,2006"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Knock pattern: repeated REJ/S0 across \u2265MinSequenceLen ports from same src_ip then SF success."
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Firewall/PF anchor load or rule change events."
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Config/ACL changes, line vty transport input changes, telnet/ssh/http(s) enable, image/feature module changes."
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to non-approved update hosts right after install/update"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New outbound flows to non-approved vendor hosts post install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New/rare egress to non-approved update hosts after install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large outbound HTTPS uploads to repo domains"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "HTTPS traffic to repository domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "alert log"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound flow records"
+ },
+ {
+ "name": "m365:defender",
+ "channel": "NetworkConnection: high out:in ratio, periodic beacons, protocol mismatch"
+ },
+ {
+ "name": "PF:Logs",
+ "channel": "high out:in ratio or fixed-size periodic flows"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "network_flow: bytes_out >> bytes_in, fixed packet sizes/intervals to non-approved CIDRs"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "connect or sendto system call with burst pattern"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "sudden burst in outgoing packets from same PID"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "source instance sends large volume of traffic in short window"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "session stats with bytes_out > bytes_in"
+ },
+ {
+ "name": "NIDS:Flow",
+ "channel": "session stats with bytes_out > bytes_in"
+ },
+ {
+ "name": "esxi:vpxa",
+ "channel": "connection attempts and data transmission logs"
+ },
+ {
+ "name": "PF:Logs",
+ "channel": "External traffic to remote access services"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "High volumes of SYN/ACK packets with unacknowledged TCP handshakes"
+ },
+ {
+ "name": "dns:query",
+ "channel": "Outbound resolution to hidden service domains (e.g., `.onion`)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log + ssl.log with Tor fingerprinting"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "forwarded encrypted traffic"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Relayed session pathing (multi-hop)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound TCP SYN or UDP to multiple ports/hosts"
+ },
+ {
+ "name": "containerd:runtime",
+ "channel": "container-level outbound traffic events"
+ },
+ {
+ "name": "WLANLogs:Association",
+ "channel": "Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "socket_events"
+ },
+ {
+ "name": "WinEventLog:Security",
+ "channel": "ARP cache modification attempts observed through event tracing or security baselines"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Gratuitous ARP replies with mismatched IP-MAC binding"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "ARP table updates inconsistent with expected gateway or DHCP lease assignments"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "networkd or com.apple.network"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log stream 'eventMessage contains \"dns_request\"'"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "/var/log/syslog.log"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "CreateTrafficMirrorSession or ModifyTrafficMirrorTarget"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Config change: CLI/NETCONF/SNMP \u2013 'monitor session', 'mirror port'"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound UDP floods targeting common reflection services with spoofed IP headers"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Outbound UDP spikes to external reflector IPs"
+ },
+ {
+ "name": "AWS:VPCFlowLogs",
+ "channel": "Large outbound UDP traffic to multiple public reflector IPs"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "High entropy domain queries with multiple NXDOMAINs"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "Frequent DNS queries with high entropy names or NXDOMAIN results"
+ },
+ {
+ "name": "vpxd.log",
+ "channel": "API communication"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Outbound Connection"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connection Tracking"
+ },
+ {
+ "name": "NSM:Firewall",
+ "channel": "pf firewall logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow Creation (NetFlow/sFlow)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log, icmp.log"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Gratuitous or duplicate DHCP OFFER packets from non-legitimate servers"
+ },
+ {
+ "name": "NSM:Connections",
+ "channel": "Inbound on ports 5985/5986"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Multiple IP addresses assigned to the same domain in rapid sequence"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Rapid domain-to-IP resolution changes for same domain"
+ },
+ {
+ "name": "esxi:syslog",
+ "channel": "Frequent DNS resolution of same domain with rotating IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "uncommon ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "alternate ports"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "None"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "conn.log or flow data"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "egress log analysis"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "egress logs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "High volume flows with incomplete TCP sessions or single-packet bursts"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Knock pattern: multiple REJ/S0 to distinct closed ports then successful connection to service_port"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Firewall rule enable/disable or listen socket changes"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Config/ACL/line vty changes, service enable (telnet/ssh/http(s)), module reloads"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "ioctl: Changes to wireless network interfaces (up, down, reassociate)"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "query: Historical list of associated SSIDs compared against baseline"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress from host after new install to unknown update endpoints"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "First-time egress to unknown registries/mirrors immediately after install"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "New egress from app just installed to unknown update endpoints"
+ },
+ {
+ "name": "esxi:vpxd",
+ "channel": "ESXi processes relaying traffic via SSH or unexpected ports"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connection to mining pool port (3333, 4444, 5555)"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound traffic to mining pool upon container launch"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Flow records with RSA key exchange on unexpected port"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Outbound connections from web server binaries (apache2, nginx, php-fpm) to unknown external IPs"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "sustained outbound HTTPS sessions with high data volume"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "Connections from IDE hosts to marketplace/tunnel domains"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Outbound connections from IDE processes to marketplace/tunnel domains"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "large HTTPS outbound uploads"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "network flows to external cloud services"
+ },
+ {
+ "name": "NSM:Flow",
+ "channel": "TCP port 22 traffic"
+ },
+ {
+ "name": "esxi:vmkernel",
+ "channel": "port 22 access"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json
index da44f99632..34e98e4314 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a4d844aa-e0d2-44d9-9b85-5bf472a18777",
+ "id": "bundle--8d27d319-f100-4bc5-9421-b4dad2a3767a",
"spec_version": "2.0",
"objects": [
{
@@ -9,20 +9,32 @@
"created": "2023-03-13T20:00:08.487Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0114",
+ "external_id": "DC0114"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:21.394Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Permissions Requests",
"description": "Permissions declared in an application's manifest or property list file",
- "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Application Vetting",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json
index 4b510a127c..5bd7c45c9b 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc6874c5-2202-4293-b583-edc4b0b3c988",
+ "id": "bundle--77d33662-4208-4ac6-9968-e67001621bbc",
"spec_version": "2.0",
"objects": [
{
@@ -9,20 +9,32 @@
"created": "2023-03-13T20:47:52.557Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0117",
+ "external_id": "DC0117"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:22.106Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "System Notifications",
"description": "Notifications generated by the OS",
- "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json
index 996701dd41..337929c397 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c9e37acf-2042-4bb3-88df-6ec92972d8e9",
+ "id": "bundle--bc667b8b-f7cb-4e7d-85ac-6d47a4be17ec",
"spec_version": "2.0",
"objects": [
{
@@ -9,20 +9,32 @@
"created": "2023-03-13T20:47:24.038Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0116",
+ "external_id": "DC0116"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:21.873Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Permissions Request",
"description": "System prompts triggered when an application requests new or additional permissions",
- "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"mobile-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "User Interface",
+ "channel": "None"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
index 4e35ae5299..cc12ceac00 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b0c9a780-4142-4c2e-9c32-889d13e7a2af",
+ "id": "bundle--ccee4376-6601-4135-8acb-e625e45865f1",
"spec_version": "2.0",
"objects": [
{
@@ -9,13 +9,19 @@
"created": "2021-10-20T15:05:19.272Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/datacomponents/DC0034",
+ "external_id": "DC0034"
+ }
+ ],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:10:37.873Z",
+ "modified": "2025-10-21T15:14:35.331Z",
"name": "Process Metadata",
"description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_domains": [
@@ -23,8 +29,186 @@
"mobile-attack",
"enterprise-attack"
],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_log_sources": [
+ {
+ "name": "Process",
+ "channel": "None"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem=com.apple.process"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+ "channel": "CodeIntegrity/WDAC events indicating unsigned/invalid DLL loads"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "sudo or service accounts invoking loaders with suspicious env vars"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Process Context"
+ },
+ {
+ "name": "esxi:auth",
+ "channel": "user session"
+ },
+ {
+ "name": "networkdevice:syslog",
+ "channel": "Admin activity"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve call for sudo where euid != uid"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "subsystem=com.apple.TCC"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "exec of binary with setuid/setgid and EUID != UID"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "process"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "Use of fork/exec with DISPLAY unset or redirected"
+ },
+ {
+ "name": "EDR:Telemetry",
+ "channel": "Process lineage and API usage enrichment (GetSystemTime, GetTimeZoneInformation, NtQuerySystemTime)"
+ },
+ {
+ "name": "esxi:hostd",
+ "channel": "/var/log/hostd.log API calls reading/altering time/ntp settings"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve, prctl, or ptrace activity affecting process memory or command-line arguments"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "Cross-reference argv[0] with actual executable path and parent process metadata"
+ },
+ {
+ "name": "WinEventLog:AppLocker",
+ "channel": "AppLocker audit/blocks showing developer utilities executing scripts/binaries outside policy"
+ },
+ {
+ "name": "EDR:hunting",
+ "channel": "Correlation of signer info, parent-child lineage, rare invocation context (user host role), and API surfaces (CreateProcess*, LoadLibrary*)"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode",
+ "channel": "ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads"
+ },
+ {
+ "name": "etw:Microsoft-Windows-ClickOnce",
+ "channel": "provider: Event Tracing for Windows (ETW) events associated with ClickOnce deployment (dfsvc.exe activity)"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-Windows Camera Frame Server/Operational",
+ "channel": "Process session start/stop events for camera pipeline by unexpected executables"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "select: path LIKE '/dev/video%'"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "state=attached/debugged"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Code Execution & Entitlement Access"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "code signature/memory protection"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve with UID \u2260 EUID"
+ },
+ {
+ "name": "auditd:SYSCALL",
+ "channel": "execve with escalated privileges"
+ },
+ {
+ "name": "AWS:CloudTrail",
+ "channel": "cross-account or unexpected assume role"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "log collect from launchd and process start"
+ },
+ {
+ "name": "containerd:events",
+ "channel": "Docker or containerd image pulls and process executions"
+ },
+ {
+ "name": "linux:syslog",
+ "channel": "Kernel or daemon warnings of downgraded TLS or cryptographic settings"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "Modifications or writes to EFI system partition for downgraded bootloaders"
+ },
+ {
+ "name": "macos:unifiedlog",
+ "channel": "non-shell process tree accessing bash history"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process metadata mismatch between /proc and runtime attributes"
+ },
+ {
+ "name": "linux:osquery",
+ "channel": "process environment variables containing LD_PRELOAD"
+ },
+ {
+ "name": "WinEventLog:PowerShell",
+ "channel": "EventCode=400,403"
+ },
+ {
+ "name": "macos:osquery",
+ "channel": "Process Execution + Hash"
+ },
+ {
+ "name": "etw:Microsoft-Windows-Kernel-Process",
+ "channel": "process_start: EventHeader.ProcessId true parent vs reported PPID mismatch"
+ },
+ {
+ "name": "macos:endpointsecurity",
+ "channel": "ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_MMAP"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+ "channel": "Unsigned/invalid signature modules or images loaded by msbuild.exe or its children"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-DeviceGuard/Operational",
+ "channel": "WDAC policy audit/block affecting msbuild.exe spawned payloads"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-SmartAppControl/Operational",
+ "channel": "Smart App Control decisions (audit/block) for msbuild.exe-launched executables"
+ },
+ {
+ "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+ "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json
index 76a3b22daa..653a240569 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b31cfb5c-685d-4a6e-9568-882568df16e5",
+ "id": "bundle--a9c7154f-d1bb-4fe3-820b-e7215919221a",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T20:39:11.418Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Sensor Health",
"description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -30,7 +30,7 @@
"Android",
"iOS"
],
- "x_mitre_deprecated": false,
+ "x_mitre_deprecated": true,
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json
index 39537854fe..a5c8069172 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6ed25be9-c4f1-4299-8422-50ffc872f7b3",
+ "id": "bundle--b0822fe7-d849-4682-8907-fea687f70f48",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:20.681Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "User Interface",
"description": "Visual activity on the device that could alert the user to potentially malicious behavior.",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -27,7 +27,7 @@
"Android",
"iOS"
],
- "x_mitre_deprecated": false,
+ "x_mitre_deprecated": true,
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
index 7e77495f13..c71d2c5beb 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8f408477-8f71-46c4-99d8-d3a88f960833",
+ "id": "bundle--2cfc7bc8-88cb-4398-948d-ffd123580101",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:26.880Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Command",
"description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -43,7 +43,7 @@
"iOS",
"ESXi"
],
- "x_mitre_deprecated": false,
+ "x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack",
"mobile-attack",
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
index f9ec4001e4..3bc6c6c5bf 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb801c80-e659-47e8-8430-9ae74d5e5a08",
+ "id": "bundle--3cdefd5e-9838-49ae-8c2c-e3720c39e000",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:11:13.424Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Network Traffic",
"description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -32,7 +32,7 @@
"iOS",
"ESXi"
],
- "x_mitre_deprecated": false,
+ "x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack",
"mobile-attack",
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json
index a62cf58b14..c180fe055e 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--edaa5b87-7d19-431a-b3cf-127a14377857",
+ "id": "bundle--9f2e7253-5904-4fde-a1d8-b187e1659b7b",
"spec_version": "2.0",
"objects": [
{
@@ -19,7 +19,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-16T21:22:20.420Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Application Vetting",
"description": "Application vetting report generated by an external cloud service.",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -27,7 +27,7 @@
"Android",
"iOS"
],
- "x_mitre_deprecated": false,
+ "x_mitre_deprecated": true,
"x_mitre_domains": [
"mobile-attack"
],
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
index c3e977a309..b63ff5bcb2 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c41037c1-8172-4c12-975c-859b8180fe73",
+ "id": "bundle--1eb2abdb-a3d1-416c-a8f9-72689f29f00c",
"spec_version": "2.0",
"objects": [
{
@@ -24,7 +24,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2025-04-18T15:10:24.655Z",
+ "modified": "2025-10-21T15:10:28.402Z",
"name": "Process",
"description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
@@ -36,7 +36,7 @@
"iOS",
"ESXi"
],
- "x_mitre_deprecated": false,
+ "x_mitre_deprecated": true,
"x_mitre_domains": [
"ics-attack",
"mobile-attack",
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac.json
new file mode 100644
index 0000000000..725f0d8632
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--f51fe50e-ef0d-4c17-aa63-900040e6738f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0679",
+ "external_id": "DET0679"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Contact List",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2",
+ "x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883.json
new file mode 100644
index 0000000000..9cfcf0b779
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--76257fd4-c188-40a7-8d95-af2a606b241a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0684",
+ "external_id": "DET0684"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Phishing",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec",
+ "x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23.json
new file mode 100644
index 0000000000..fe69621003
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b5023938-2ea4-4d75-9285-36400f0a11c2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0654",
+ "external_id": "DET0654"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Boot or Logon Initialization Scripts",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c",
+ "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657.json
new file mode 100644
index 0000000000..9939d55ea2
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e43efbce-6a9b-4f48-a5bb-64a544d17407",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0629",
+ "external_id": "DET0629"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation for Client Execution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff",
+ "x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b.json
new file mode 100644
index 0000000000..c3c8d8501c
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--fe671fa6-ae5b-4f4a-87a8-1939678ec991",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0696",
+ "external_id": "DET0696"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Network Service Scanning",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f",
+ "x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f.json
new file mode 100644
index 0000000000..d7d33b7394
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b20395e0-d9cf-4006-ad95-24bfea746d06",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0602",
+ "external_id": "DET0602"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Call Log",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a",
+ "x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620.json
new file mode 100644
index 0000000000..3a338d9b6c
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--46b2057f-0cde-4069-87ee-1d9a9e6adef8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0601",
+ "external_id": "DET0601"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Information Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd",
+ "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d.json
new file mode 100644
index 0000000000..581326e9be
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--888d4ac1-9370-41f0-a459-fe9874f776be",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0703",
+ "external_id": "DET0703"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Call Control",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179.json
new file mode 100644
index 0000000000..3267ce18dd
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--16329412-fae1-41a2-a74f-b0a68c136526",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0625",
+ "external_id": "DET0625"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Checks",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee",
+ "x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f.json
new file mode 100644
index 0000000000..c4b9f53f48
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--5ebf3bdd-b55d-4fb7-ab32-8a96311652a8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0650",
+ "external_id": "DET0650"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Symmetric Cryptography",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84",
+ "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0.json
new file mode 100644
index 0000000000..52bd831962
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--5d47c16a-65cd-44d6-bea9-9d2676a8d1c4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0697",
+ "external_id": "DET0697"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Abuse Accessibility Features",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2.json
new file mode 100644
index 0000000000..5b5668c8be
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--0cd6ae0c-5d18-4cb4-89c5-0b96bd196a5f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0674",
+ "external_id": "DET0674"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Calendar Entries",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34",
+ "x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de.json
new file mode 100644
index 0000000000..d348ec8a0a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--4e19183e-790e-4204-8ea1-dd3f5ad1fab1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0693",
+ "external_id": "DET0693"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Disable or Modify Tools",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e.json
new file mode 100644
index 0000000000..9bd9cf5ac8
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--bb20cf8e-2520-4692-b1c8-4c2c993c8643",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0692",
+ "external_id": "DET0692"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Process Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba",
+ "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b.json
new file mode 100644
index 0000000000..63239c0eed
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--edd6be4f-bb08-40af-abb8-18f777bb6d1c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0626",
+ "external_id": "DET0626"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of URI Hijacking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb",
+ "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9.json
new file mode 100644
index 0000000000..a595cecd89
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--fac3077c-8c6d-49ad-8fd9-bad26a59ba7f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0710",
+ "external_id": "DET0710"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Disguise Root/Jailbreak Indicators",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e",
+ "x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff.json
new file mode 100644
index 0000000000..2bdeaa687f
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--50cfbecf-74ab-4d74-a9ec-b0602cfd3029",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0717",
+ "external_id": "DET0717"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Native API",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7.json
new file mode 100644
index 0000000000..455b414e00
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--bf074294-758b-4989-8e84-047a22f19847",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0721",
+ "external_id": "DET0721"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Software Supply Chain",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c",
+ "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4.json
new file mode 100644
index 0000000000..96cc981270
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--210a20d7-1a63-47a7-a219-9fe79faa9f7e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0649",
+ "external_id": "DET0649"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Application Executable",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9.json
new file mode 100644
index 0000000000..156bcdb2f6
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--848e3509-4416-4577-97ee-008bc795a01e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0613",
+ "external_id": "DET0613"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Dynamic Resolution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7",
+ "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1.json
new file mode 100644
index 0000000000..17b593631b
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--9749a228-ef2d-484c-bdf3-c66f80094715",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0640",
+ "external_id": "DET0640"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Hide Artifacts",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4.json
new file mode 100644
index 0000000000..37395746cb
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--5a864a80-325e-4915-97c7-542fa529d7fd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0608",
+ "external_id": "DET0608"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Generate Traffic from Victim",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b",
+ "x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de.json
new file mode 100644
index 0000000000..0688d40ee3
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--1816de14-ec9e-4a9d-8750-c020a7097269",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0612",
+ "external_id": "DET0612"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Input Injection",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6.json
new file mode 100644
index 0000000000..086f804b7b
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--3a4affc2-a7f6-4da3-9b14-9564fbd753e0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0678",
+ "external_id": "DET0678"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data Encrypted for Impact",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4.json
new file mode 100644
index 0000000000..0f48360f41
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--a767565d-00c9-4f11-8a0c-67929ac7abb3",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0599",
+ "external_id": "DET0599"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SMS Control",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3.json
new file mode 100644
index 0000000000..0f1c595ad0
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--d9ac2479-6b3c-4268-9a60-ccf3dcb84dce",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0705",
+ "external_id": "DET0705"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Input Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e",
+ "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5.json
new file mode 100644
index 0000000000..273ef68e5a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--7dd3a408-5b86-495c-9548-00a02622926c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0648",
+ "external_id": "DET0648"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Geofencing",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb",
+ "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a.json
new file mode 100644
index 0000000000..3ddffa32e2
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--c1dee16a-e77f-4f0c-8f2e-c1fcfba48509",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0666",
+ "external_id": "DET0666"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation for Initial Access",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11",
+ "x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713.json
new file mode 100644
index 0000000000..46a91dd50e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--8d04525f-05c6-4f67-8497-f365bc992c42",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0700",
+ "external_id": "DET0700"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Bidirectional Communication",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea",
+ "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e.json
new file mode 100644
index 0000000000..898f2f574c
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--bb1a63db-5161-46b7-9d42-b5512f84ac8b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0651",
+ "external_id": "DET0651"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Indicator Removal on Host",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369",
+ "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e.json
new file mode 100644
index 0000000000..ad153d9140
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--aaa88427-1f70-4b5d-9c52-c84c9e3300ea",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0606",
+ "external_id": "DET0606"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Virtualization Solution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611.json
new file mode 100644
index 0000000000..1c5e2c28ab
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--faaba16f-e1b4-467c-abec-4540f6e0de7f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0708",
+ "external_id": "DET0708"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Internet Connection Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d",
+ "x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5.json
new file mode 100644
index 0000000000..31d84ba2c3
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--ba5ccc58-093d-449f-8b66-bf857f27605c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0719",
+ "external_id": "DET0719"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Hooking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8.json
new file mode 100644
index 0000000000..a0cb1c52e1
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--b7176e24-c263-4b23-b5ad-6d34541c951c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0603",
+ "external_id": "DET0603"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Device Lockout",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb.json
new file mode 100644
index 0000000000..16d210a1fe
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--ce556481-bee1-48a5-a3b9-0072b82dc76f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0645",
+ "external_id": "DET0645"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Lockscreen Bypass",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8",
+ "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072.json
new file mode 100644
index 0000000000..b06ec23a50
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--ae28e49f-bc5f-41fb-8024-c55b04d25ec7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0644",
+ "external_id": "DET0644"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Software Packing",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2",
+ "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5.json
new file mode 100644
index 0000000000..e58503b5bb
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b2e6a3aa-3550-44ee-8822-ecc7a7e03dbf",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0607",
+ "external_id": "DET0607"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Unix Shell",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e",
+ "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a.json
new file mode 100644
index 0000000000..321b772322
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--90c48ba9-8f2c-4952-a868-311eef56748c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0668",
+ "external_id": "DET0668"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Screen Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4.json
new file mode 100644
index 0000000000..1f598d810f
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--11206540-3fce-45ef-8102-5762ae9288a7",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0620",
+ "external_id": "DET0620"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Web Protocols",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1",
+ "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6.json
new file mode 100644
index 0000000000..b1ac151616
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b36344c3-cf1e-4de1-86ab-9c7dfc3dfa57",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0663",
+ "external_id": "DET0663"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation of Remote Services",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f",
+ "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206.json
new file mode 100644
index 0000000000..14163824ba
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--719d8254-b3d5-471c-a62c-84f2a089dc34",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0691",
+ "external_id": "DET0691"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Replication Through Removable Media",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812",
+ "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc.json
new file mode 100644
index 0000000000..161bc3101e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--8ca63778-0f4b-4663-a7fe-4b79fc4dbeb9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0673",
+ "external_id": "DET0673"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Audio Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202",
+ "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb.json
new file mode 100644
index 0000000000..a09a4a1177
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--20998835-83a1-4e94-9e6b-9b64604b2e93",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0615",
+ "external_id": "DET0615"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exfiltration Over C2 Channel",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e",
+ "x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b.json
new file mode 100644
index 0000000000..86325b300f
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--43db448c-dccf-454d-8c1d-0dd1abd2fbbb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0610",
+ "external_id": "DET0610"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of One-Way Communication",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b",
+ "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc.json
new file mode 100644
index 0000000000..6952454cc1
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--4527264e-88d6-4f10-ac12-ef95212ff1d1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0630",
+ "external_id": "DET0630"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Device Administrator Permissions",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89.json
new file mode 100644
index 0000000000..828a9373de
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--8cae1474-6d63-4350-9cd2-acf8558383c0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0683",
+ "external_id": "DET0683"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Transmitted Data Manipulation",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5.json
new file mode 100644
index 0000000000..0c5881e15e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--f87dd055-88a5-4178-bb9f-e5947f2bb46a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0656",
+ "external_id": "DET0656"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Steal Application Access Token",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5",
+ "x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75.json
new file mode 100644
index 0000000000..3fe2a68bf1
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--09871035-43aa-4066-8ff9-04d7159759f4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0676",
+ "external_id": "DET0676"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of GUI Input Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521",
+ "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3.json
new file mode 100644
index 0000000000..8812ae8c08
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--665250b8-5a46-41b6-97be-fdee62b6e2b5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0681",
+ "external_id": "DET0681"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Protected User Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd",
+ "x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80.json
new file mode 100644
index 0000000000..faf54d5203
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--0b5c000c-5d08-4737-b313-f40b2f835c5a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0634",
+ "external_id": "DET0634"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Network Configuration Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b",
+ "x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967.json
new file mode 100644
index 0000000000..9d961d7466
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--78c43188-de7c-4492-ad1f-b91cfaa12cb1",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0677",
+ "external_id": "DET0677"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Steganography",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532.json
new file mode 100644
index 0000000000..94fae4df4a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--46d2e25a-771d-49bc-8002-47c7ecd53396",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0687",
+ "external_id": "DET0687"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Impair Defenses",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3.json
new file mode 100644
index 0000000000..912e2ab86e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--d3f84122-0857-4397-9ae8-8bcbbb5d33b6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0638",
+ "external_id": "DET0638"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of File Deletion",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d.json
new file mode 100644
index 0000000000..8478045486
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b0afe675-a917-407c-ac79-4678f9092660",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0658",
+ "external_id": "DET0658"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SIM Card Swap",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f",
+ "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070.json
new file mode 100644
index 0000000000..353902ed2a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--2fe78c7b-df83-4dae-b155-15bcb3da67c2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0690",
+ "external_id": "DET0690"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Uninstall Malicious Application",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290.json
new file mode 100644
index 0000000000..29ec70b231
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b8166031-6fec-4e26-990e-50181f7d1be2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0718",
+ "external_id": "DET0718"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Ingress Tool Transfer",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db",
+ "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73.json
new file mode 100644
index 0000000000..d7380aa758
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--a5686ad0-45cb-4806-bb7b-bfd077e5c6b0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0665",
+ "external_id": "DET0665"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exploitation for Privilege Escalation",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73",
+ "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac.json
new file mode 100644
index 0000000000..d2c699474f
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--63d8d43a-f716-413f-9658-fa7a533d0c22",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0699",
+ "external_id": "DET0699"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of User Evasion",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5.json
new file mode 100644
index 0000000000..9c1ac62470
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--a507b9bb-1d39-4644-902c-62270af425a8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0714",
+ "external_id": "DET0714"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Suppress Application Icon",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089.json
new file mode 100644
index 0000000000..32ef6fa007
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--3dabe32a-acf1-474d-ba71-b29747f383e9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0702",
+ "external_id": "DET0702"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Remote Device Management Services",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb",
+ "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6.json
new file mode 100644
index 0000000000..a38642d768
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--fbe48ff4-c38f-4fd3-b074-d0ec84408b9e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0622",
+ "external_id": "DET0622"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Ptrace System Calls",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4",
+ "x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507.json
new file mode 100644
index 0000000000..bac3056e17
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b3b2307c-1a14-4c5f-aca3-f16571b0cf39",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0657",
+ "external_id": "DET0657"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Subvert Trust Controls",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa",
+ "x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b.json
new file mode 100644
index 0000000000..5b2c9d5b85
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--5900a799-b642-47c4-823b-c9d804b91387",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0655",
+ "external_id": "DET0655"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Command and Scripting Interpreter",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07",
+ "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b.json
new file mode 100644
index 0000000000..4bcb6bfe56
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--70b4cb5c-93b0-48ad-8f72-f7268778f50f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0600",
+ "external_id": "DET0600"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Software Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc",
+ "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f.json
new file mode 100644
index 0000000000..b0aa63a23a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--5881a770-745d-4ddb-b7fd-28b53456f0bd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0672",
+ "external_id": "DET0672"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Web Service",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728",
+ "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764.json
new file mode 100644
index 0000000000..5dc5688020
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--4a06c74f-5d64-4b59-aff7-f321f90dce99",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0660",
+ "external_id": "DET0660"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data Manipulation",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4.json
new file mode 100644
index 0000000000..3378b0d4de
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--1d364ddf-a8e0-4273-98f9-f5ac5cb49198",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0641",
+ "external_id": "DET0641"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Encrypted Channel",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97",
+ "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d.json
new file mode 100644
index 0000000000..43884ee292
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--10a7af19-59b6-4c66-a0ad-a19c66a629cd",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0605",
+ "external_id": "DET0605"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Account Access Removal",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f.json
new file mode 100644
index 0000000000..fb631b4583
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--16882777-447a-49a2-a56a-6fe18eaa80d4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0706",
+ "external_id": "DET0706"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Non-Standard Port",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960",
+ "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee.json
new file mode 100644
index 0000000000..b9ee62c315
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--fc27b692-8049-4f63-ab54-9db799fa8b32",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0623",
+ "external_id": "DET0623"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Adversary-in-the-Middle",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82",
+ "x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f.json
new file mode 100644
index 0000000000..ea93abfc8a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--61a3d6a2-0904-4350-8752-47412b63fb3b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0598",
+ "external_id": "DET0598"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Prevent Application Removal",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6.json
new file mode 100644
index 0000000000..59097abf39
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--9ae63773-43c7-4b05-a8fc-7018947e7b49",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0643",
+ "external_id": "DET0643"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Clipboard Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6",
+ "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67.json
new file mode 100644
index 0000000000..9ed27cd65c
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--f66fbbf9-73e0-45a0-8fc5-82763e7b517a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0720",
+ "external_id": "DET0720"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Obfuscated Files or Information",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2",
+ "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a.json
new file mode 100644
index 0000000000..24ee4182e8
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e2c150a1-dc10-407c-94b9-75b4ac1417a9",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0712",
+ "external_id": "DET0712"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Client Software Binary",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092",
+ "x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22.json
new file mode 100644
index 0000000000..6b2d0ffe91
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--ca80abb8-36a0-4265-8d89-7c71d2f79e51",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0636",
+ "external_id": "DET0636"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Network Connections Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b.json
new file mode 100644
index 0000000000..0b330d7ee5
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--87836c02-6d51-4ff1-aeca-5cd7c6ca0990",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0698",
+ "external_id": "DET0698"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exfiltration Over Alternative Protocol",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782",
+ "x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8.json
new file mode 100644
index 0000000000..79c725dd7e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--83528d73-e2f6-4d5d-8eae-f7a983794954",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0689",
+ "external_id": "DET0689"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of System Runtime API Hijacking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b.json
new file mode 100644
index 0000000000..aa1488a99d
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--986ee606-2bb8-4e1f-ac5b-f9985665d7c4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0653",
+ "external_id": "DET0653"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Execution Guardrails",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184",
+ "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e.json
new file mode 100644
index 0000000000..848a8c036d
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--33462e66-a759-4548-bda0-f7ea98bbeb48",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0617",
+ "external_id": "DET0617"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Dead Drop Resolver",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30",
+ "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b.json
new file mode 100644
index 0000000000..506056c98e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--4ca73911-202b-45f7-a954-bda3325f4c1c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0611",
+ "external_id": "DET0611"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Access Notifications",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69.json
new file mode 100644
index 0000000000..6681e68cfe
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--68fb88a6-77e8-4428-ae6e-617819e28755",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0639",
+ "external_id": "DET0639"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Network Denial of Service",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f",
+ "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31.json
new file mode 100644
index 0000000000..cc87e23f98
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--3d7d5aed-0600-4fd7-ad46-8128b1a74e3f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0628",
+ "external_id": "DET0628"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Supply Chain Compromise",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf",
+ "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e.json
new file mode 100644
index 0000000000..2490fa009e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--b4746808-7ae9-47ff-9f08-5decc406b737",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0609",
+ "external_id": "DET0609"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Match Legitimate Name or Location",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec",
+ "x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3.json
new file mode 100644
index 0000000000..1096e6c721
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--622fa1f6-a978-400b-8161-0c0180033e8b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0631",
+ "external_id": "DET0631"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Proxy Through Victim",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41.json
new file mode 100644
index 0000000000..1004be2443
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--9560a27c-fba1-48ef-854b-699ea61a6433",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0635",
+ "external_id": "DET0635"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Accounts",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3",
+ "x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413.json
new file mode 100644
index 0000000000..159a8e7a7b
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--07f5ff6f-4204-4d1a-98bf-c793c6120f2f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0680",
+ "external_id": "DET0680"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Security Software Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2",
+ "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19.json
new file mode 100644
index 0000000000..2e21b2710e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e68fa227-f5e1-4321-873c-1b8d8c5d39ed",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0618",
+ "external_id": "DET0618"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Download New Code at Runtime",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f",
+ "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1.json
new file mode 100644
index 0000000000..0e1cdaf0b1
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--0be0f686-bad8-4424-90fc-996cece3e0eb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0659",
+ "external_id": "DET0659"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Conceal Multimedia Files",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f.json
new file mode 100644
index 0000000000..8dcf8c1788
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--7145fb63-aa8e-40c4-ac20-9b2c9abc68fe",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0642",
+ "external_id": "DET0642"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Abuse Elevation Control Mechanism",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85.json
new file mode 100644
index 0000000000..c1eefcceb4
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--fd08c4be-1c81-4356-b045-707a4a91a949",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0711",
+ "external_id": "DET0711"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Broadcast Receivers",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550.json
new file mode 100644
index 0000000000..6371add71a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--9cb9b78b-d799-4379-bfc0-7e0afdfc32f8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0713",
+ "external_id": "DET0713"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data from Local System",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a",
+ "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b.json
new file mode 100644
index 0000000000..8d7e83b97d
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--ca8defac-5e53-4e5a-996d-1e553806b6f6",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0616",
+ "external_id": "DET0616"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Virtualization/Sandbox Evasion",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c",
+ "x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19.json
new file mode 100644
index 0000000000..9a69b4b921
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--5262bdb6-532f-4d30-9341-60a0f09b15b8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0685",
+ "external_id": "DET0685"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Application Layer Protocol",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6",
+ "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495.json
new file mode 100644
index 0000000000..b27c2c9601
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--08faa3c4-8a6f-46f2-a65d-104e376de423",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0662",
+ "external_id": "DET0662"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Impersonate SS7 Nodes",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a",
+ "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48.json
new file mode 100644
index 0000000000..d63eafa0f3
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--95a51db2-9c04-47a6-9b91-51cf23d570c5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0619",
+ "external_id": "DET0619"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Code Signing Policy Modification",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8",
+ "x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f.json
new file mode 100644
index 0000000000..40eb71aeff
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--f235f731-533d-4fa4-9027-3c0cb0001417",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0675",
+ "external_id": "DET0675"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Location Tracking",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644",
+ "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c.json
new file mode 100644
index 0000000000..20fd4e2649
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--f9ecf59c-f9dd-458e-b92f-44ffa81393de",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0686",
+ "external_id": "DET0686"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SMS Messages",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd",
+ "x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d.json
new file mode 100644
index 0000000000..1b2ac340ec
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--593d4988-69b2-4533-912c-b50757de7854",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0682",
+ "external_id": "DET0682"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of File and Directory Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e",
+ "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34.json
new file mode 100644
index 0000000000..76656eefde
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--78cc07e5-95b8-49cf-981b-0f9c0d74fd01",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0633",
+ "external_id": "DET0633"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Credentials from Password Store",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936.json
new file mode 100644
index 0000000000..ba9622c256
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--429a77d6-ce8c-4749-9a8b-3fd5ab6f301e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0664",
+ "external_id": "DET0664"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Keychain",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858.json
new file mode 100644
index 0000000000..5ec3e4c2f2
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--27c61b2a-8bbb-4d56-b184-6a0464b31cc5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0694",
+ "external_id": "DET0694"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Hijack Execution Flow",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78.json
new file mode 100644
index 0000000000..1675de4a9c
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--6b4a2181-5fef-4c9f-975c-c7768fd2b4c2",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0670",
+ "external_id": "DET0670"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Archive Collected Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466",
+ "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6.json
new file mode 100644
index 0000000000..fe7c02d032
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--d2d122e2-591b-42c7-b77e-50ddf4d3610d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0632",
+ "external_id": "DET0632"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Process Injection",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1",
+ "x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90.json
new file mode 100644
index 0000000000..0d453be9df
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--82664964-7137-42ac-a6a8-715555b92f8b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0627",
+ "external_id": "DET0627"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Endpoint Denial of Service",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3",
+ "x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae.json
new file mode 100644
index 0000000000..f23bc23a16
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--ef48a168-9515-4db6-903b-8672266010a8",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0667",
+ "external_id": "DET0667"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Asymmetric Cryptography",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c",
+ "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5.json
new file mode 100644
index 0000000000..4600a3666f
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e6359b99-f557-4aec-b154-b67176404609",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0669",
+ "external_id": "DET0669"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Domain Generation Algorithms",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0",
+ "x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117.json
new file mode 100644
index 0000000000..b787fb420f
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--89e677a0-062d-44c9-90e3-8591ddad1979",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0637",
+ "external_id": "DET0637"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Foreground Persistence",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04.json
new file mode 100644
index 0000000000..4a2a15d48e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--57eca35c-99f0-4be0-a9ec-a6d08e0db41a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0646",
+ "external_id": "DET0646"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of SSL Pinning",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae",
+ "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2.json
new file mode 100644
index 0000000000..1c740b7ec1
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--4dc0a2ae-e71e-4c7a-b53d-f613b0d4f072",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0701",
+ "external_id": "DET0701"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Exfiltration Over Unencrypted Non-C2 Protocol",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e",
+ "x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7.json
new file mode 100644
index 0000000000..071df27eab
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--69d0a576-31b4-44f8-a247-96ec3f3f98da",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0704",
+ "external_id": "DET0704"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Software Dependencies and Development Tools",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e",
+ "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0.json
new file mode 100644
index 0000000000..c0d0e050a3
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--1dae28e1-d0e5-4e57-9e1b-8100576bad8f",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0624",
+ "external_id": "DET0624"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Remote Access Software",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998",
+ "x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa.json
new file mode 100644
index 0000000000..bfc2861ccd
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--bfdf3406-c766-44be-b2ea-2ca1e9de5d3d",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0614",
+ "external_id": "DET0614"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Drive-By Compromise",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64",
+ "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b.json
new file mode 100644
index 0000000000..c2a92e2ae5
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--96311543-358a-43ad-8821-e3ed6435b3fc",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0695",
+ "external_id": "DET0695"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Video Capture",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52",
+ "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203.json
new file mode 100644
index 0000000000..c4749e4f5e
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--7a97c089-5c62-47f6-8fca-0681ba844fe5",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0715",
+ "external_id": "DET0715"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Masquerading",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07",
+ "x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a.json
new file mode 100644
index 0000000000..1e010b0daf
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--ce5ff373-8f7e-4b49-95a5-8a44fe32da1a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0621",
+ "external_id": "DET0621"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Stored Application Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d",
+ "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5.json
new file mode 100644
index 0000000000..cb6a90af34
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--228421f2-fe25-4189-9af5-d0cf994d6caa",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0688",
+ "external_id": "DET0688"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Out of Band Data",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe",
+ "x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3.json
new file mode 100644
index 0000000000..a06eee3845
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--d133c9fe-10e1-4285-971d-233fd5998076",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0652",
+ "external_id": "DET0652"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Application Versioning",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c",
+ "x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985.json
new file mode 100644
index 0000000000..1556acd612
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--06736d28-dd56-4b1e-81ad-b8f2aa00df25",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0707",
+ "external_id": "DET0707"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Scheduled Task/Job",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061",
+ "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d.json
new file mode 100644
index 0000000000..019cc49d6a
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--e82ef8ca-6f50-495c-96dc-454e69df67b4",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0604",
+ "external_id": "DET0604"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Compromise Hardware Supply Chain",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db",
+ "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f.json
new file mode 100644
index 0000000000..04e15a8483
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--ba9c3955-f039-4da6-bd19-e579c1571522",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0716",
+ "external_id": "DET0716"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Linked Devices",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff",
+ "x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc.json
new file mode 100644
index 0000000000..6c2a326aff
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--3ee08b12-4294-41bc-a135-0da63b7f2b8c",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0709",
+ "external_id": "DET0709"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Wi-Fi Discovery",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91",
+ "x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72.json
new file mode 100644
index 0000000000..1e3d0ff200
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72.json
@@ -0,0 +1,36 @@
+{
+ "type": "bundle",
+ "id": "bundle--906be282-966c-4597-9c5f-8a448e60df56",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0661",
+ "external_id": "DET0661"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Keylogging",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86",
+ "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1.json
new file mode 100644
index 0000000000..5c7862739c
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--0020a730-faec-4f96-bf87-cd60ea947938",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0671",
+ "external_id": "DET0671"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Data Destruction",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb.json b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb.json
new file mode 100644
index 0000000000..f8dac84869
--- /dev/null
+++ b/mobile-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb.json
@@ -0,0 +1,35 @@
+{
+ "type": "bundle",
+ "id": "bundle--5b12a244-dc55-4173-950a-45c78f201d7b",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "x-mitre-detection-strategy",
+ "id": "x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb",
+ "created": "2025-10-21T15:10:28.402Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/detectionstrategies/DET0647",
+ "external_id": "DET0647"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-10-21T15:10:28.402Z",
+ "name": "Detection of Event Triggered Execution",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.3.0",
+ "x_mitre_domains": [
+ "mobile-attack"
+ ],
+ "x_mitre_analytic_refs": [
+ "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653"
+ ],
+ "x_mitre_deprecated": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json b/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json
index 32e114b934..e62412ab01 100644
--- a/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json
+++ b/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--abf29da6-4d4b-4bfb-8bed-f621d9e696f4",
+ "id": "bundle--19ec1e4e-f7a8-4c94-8dd5-7c9193b8c2eb",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json b/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json
index e88cffa92d..9e942654c6 100644
--- a/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json
+++ b/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--63618036-b292-45a6-9ba2-d5ebae2dd5b2",
+ "id": "bundle--35ee242a-a59d-41a5-b81e-a03068ad6eef",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json
index 99c148dbab..24bf690127 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--31e7904d-6ca5-41a9-8251-86d6a595b991",
+ "id": "bundle--ab8ce05c-1a56-4c63-8ce2-5c0dcf544705",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json
index 16ca34c2d8..4a00bbcb68 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e53b88a-ead4-4c23-a6bb-fed2d7059de7",
+ "id": "bundle--970a3cac-1ce0-4a86-8092-dfe291c4eedc",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json
index ac81ede63f..a44233f045 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2743929f-81df-410e-90bd-42a75d1a338f",
+ "id": "bundle--1255a0ac-3009-4dbe-80d2-ee9ec77fd909",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json
index c70fd0e556..654440e747 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--43361a9e-5c04-4bda-95a6-c5c8ba6b0c88",
+ "id": "bundle--f0d23605-074a-4ad4-aa67-0cad2d9f67f2",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json
index 3be796a779..ffe190df46 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6227285f-7fef-4c82-84eb-1dec73ca381e",
+ "id": "bundle--aec0186a-4853-475a-a36a-94feb23214e0",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json
index 9724d07ef7..f8f5d95117 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8476215f-8cd2-41e4-804b-9534934c8f81",
+ "id": "bundle--76cbc372-d28a-4462-b72f-86cedfca68a3",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json
index 8384be3417..08e6697a53 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f6a97231-21e6-4b25-96d9-98034c465a13",
+ "id": "bundle--e5659ac1-a06f-4bc7-8d88-3ccd6a4da689",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json
index fe82c55e8f..27dc3f8166 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7e819f4d-bd6a-4c8c-be4d-ce6403239e18",
+ "id": "bundle--95c25fad-2d42-4e32-9a71-e00cf9bcbf45",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json
index 1099fb6b64..a6692f9c90 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f914b4c6-3d0e-4bff-83c6-9dfa0e4ecd45",
+ "id": "bundle--b0bd3f80-d6f5-4f9f-acde-0dac0a78094f",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json
index 000ecb6ab1..1224dcb10b 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1395db56-fab2-44df-b35f-1c88ee8e577f",
+ "id": "bundle--52616b6a-0c7c-410b-ba92-e0c52be1cfd4",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json
index 13e09948a8..111cf0f747 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2a4916f4-09a3-47fb-b208-08f86f7c1c22",
+ "id": "bundle--0319488f-44f8-44ea-a702-190860fe1799",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json
index cabec074a4..75d6ef9545 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--572c1e8d-039d-41ad-a1a9-eb52edbebbe0",
+ "id": "bundle--b7019571-5c7e-426b-bcff-9731ac9f3ab6",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json
index cf1c359083..451f1c883c 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8cea4528-bc01-4656-9e85-291a71ea3949",
+ "id": "bundle--56c916e0-ae7e-44d5-bf00-5fae30418b86",
"spec_version": "2.0",
"objects": [
{
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json
index 15722d6b60..f565cc787f 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab9b565c-4340-4003-a77d-00bce2721024",
+ "id": "bundle--22230aa8-7160-4b02-921d-428210d1592b",
"spec_version": "2.0",
"objects": [
{