adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

content regeneration for apr-2018 update

Browse Source
This commit is contained in:
John Wunder
2018-04-13 13:37:01 -04:00
parent cd175b6841
commit ced1c19fa3
4120 changed files with 136609 additions and 99817 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--288d5f15-9ccf-4cbd-b626-914d6de540c5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:08.155Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious SMS Message",
"description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1057"
},
{
"source_name": "Forbes-iPhoneSMS",
"description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.",
"source_name": "Forbes-iPhoneSMS",
"url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html"
},
{
"source_name": "SRLabs-SIMCard",
"description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016.",
"source_name": "SRLabs-SIMCard",
"url": "https://srlabs.de/bites/rooting-sim-cards/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:08.155Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--5d81556e-2428-4c10-bc30-41b9ce345e9a",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
+16 -16
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--91f2017f-9bde-418b-b4a1-256e66a65a28",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.237Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obtain Device Cloud Backups",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB).\n\nDetection: Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,36 +11,44 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1073",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1073"
},
{
"external_id": "ECO-0",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html",
"external_id": "ECO-0"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html"
},
{
"external_id": "ECO-1",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
"external_id": "ECO-1"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html"
},
{
"source_name": "Elcomsoft-EPPB",
"description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.",
"source_name": "Elcomsoft-EPPB",
"url": "https://www.elcomsoft.com/eppb.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.237Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--3c63290b-3f1c-47d5-888d-1c3d01dfd7f2",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--117f15de-ec30-4e9f-8a49-3bb8c45a0179",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.462Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Insecure Third-Party Libraries",
"description": "Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities.\n\nFor example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,36 +11,44 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1028",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1028"
},
{
"external_id": "APP-6",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html",
"external_id": "APP-6"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html"
},
{
"source_name": "NowSecure-RemoteCode",
"description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.",
"source_name": "NowSecure-RemoteCode",
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"
},
{
"source_name": "Grace-Advertisement",
"description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.",
"source_name": "Grace-Advertisement",
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.462Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--2c86a0df-6001-4bdc-86c3-096427845a96",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--536a86a9-3c40-4352-9a0e-3bd9cb25d05a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.067Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Application Discovery",
"description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device as described by Kurtz (Citation: Kurtz-MaliciousiOSApps), however use of private API calls will likely prevent the application from being distributed through Apple's App Store.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,31 +15,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1021",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1021"
},
{
"source_name": "Android-PackageManager",
"description": "Android. (n.d.). PackageManager. Retrieved December 21, 2016.",
"source_name": "Android-PackageManager",
"url": "https://developer.android.com/reference/android/content/pm/PackageManager.html"
},
{
"source_name": "Kurtz-MaliciousiOSApps",
"description": "Andreas Kurtz. (2014, September 18). Malicious iOS Apps. Retrieved December 21, 2016.",
"source_name": "Kurtz-MaliciousiOSApps",
"url": "https://andreas-kurtz.de/2014/09/malicious-ios-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.067Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--bff8305f-ce67-4e42-81e7-0dc1880caa18",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--05818bc9-9d42-405c-bc64-3775f2a6d917",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.926Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Process Discovery",
"description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the <code>ps</code> command, or by examining the <code>/proc</code> directory. Starting in Android version 7, use of the Linux kernel's <code>hidepid</code> feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1027",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1027"
},
{
"source_name": "Android-SELinuxChanges",
"description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.",
"source_name": "Android-SELinuxChanges",
"url": "https://code.google.com/p/android/issues/detail?id=205565"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.926Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--015f2231-6163-49ee-851a-719c2758da92",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--1708133c-73a8-4e32-9517-e65385f9c5c2",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:10.699Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "App Delivered via Email Attachment",
"description": "The application is delivered as an email attachment.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1037",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1037"
},
{
"external_id": "AUT-9",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"external_id": "AUT-9"
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html"
},
{
"external_id": "ECO-13",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html",
"external_id": "ECO-13"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:10.699Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--eb82fe62-da6e-4b21-8e1f-a661d2af23da",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--eb497c86-65fc-4dc5-9e0b-5d489a374c2c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:08.613Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Abuse Accessibility Features",
"description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -23,25 +15,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1056",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1056"
},
{
"source_name": "Skycure-Accessibility",
"description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
"source_name": "Skycure-Accessibility",
"url": "https://www.skycure.com/blog/accessibility-clickjacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:08.613Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--fe4e22ce-fedb-421b-967b-9ac4b1d67187",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fee3a5bf-d291-4748-8a10-119919d937ad",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:13.259Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit Enterprise Resources",
"description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1031",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1031"
},
{
"external_id": "APP-32",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html",
"external_id": "APP-32"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:13.259Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c8ce06e0-66da-4acc-95b0-1d7353f57a3c",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--b642ce68-7d81-4009-83be-32303ed6b39a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.176Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Sensitive Data in Device Logs",
"description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -23,30 +15,38 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1016",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1016"
},
{
"external_id": "APP-3",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html",
"external_id": "APP-3"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html"
},
{
"external_id": "APP-13",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.176Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--fe6fd9e7-9873-4ce9-9439-06e82754f6bc",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--b703c923-1b07-488f-9eb5-37e0972375d8",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.890Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Network Service Scanning",
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,21 +11,29 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1026",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1026"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.890Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--9f130ffa-ad66-4bfe-88de-4f91c119186d",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--464824c1-a224-4425-911e-df8ae198ee6c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.405Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit OS Vulnerability",
"description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1007",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1007"
},
{
"external_id": "APP-26",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"external_id": "APP-26"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.405Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--9291f373-7043-4b38-8b0d-404e878e3977",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--0d3f56b6-1543-4f9d-845b-93d23fa63864",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:16.650Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Commonly Used Port",
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,21 +15,29 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1039",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1039"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:16.650Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--4eb7a52f-42fe-4915-95e5-d52fb279118e",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
+16 -16
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--8295d665-7828-4c87-910e-b04af8d3eb1f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.104Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Eavesdrop on Insecure Network Communication",
"description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,36 +11,44 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1042",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1042"
},
{
"external_id": "APP-0",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html",
"external_id": "APP-0"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html"
},
{
"external_id": "APP-1",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"external_id": "APP-1"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html"
},
{
"source_name": "mHealth",
"description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.",
"source_name": "mHealth",
"url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.104Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--86ed7e49-4f31-445c-bb03-0b531eb1cc58",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--4d07cfc4-3116-4cb5-8719-205febbde6b2",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.982Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Network Traffic Capture or Redirection",
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.\n\nDetection: On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,26 +15,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1013",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1013"
},
{
"source_name": "Skycure-Profiles",
"description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.",
"source_name": "Skycure-Profiles",
"url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.982Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--70e0cbfa-dbbd-4a7a-9991-866f9caef0b5",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--349cba8a-2e60-439b-8b22-57a9de0b5b16",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:34.407Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "User Interface Spoofing",
"description": "At least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering account credentials. \n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app in order to trick users into installing and using it.\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app as described in (Citation: Felt-PhishingOnMobileDevices) and (Citation: Hassell-ExploitingAndroid). However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,46 +11,54 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1014",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1014"
},
{
"external_id": "APP-31",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
"external_id": "APP-31"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html"
},
{
"source_name": "Felt-PhishingOnMobileDevices",
"description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.",
"source_name": "Felt-PhishingOnMobileDevices",
"url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"
},
{
"source_name": "Hassell-ExploitingAndroid",
"description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved August 25, 2016.",
"source_name": "Hassell-ExploitingAndroid",
"url": "http://conference.hitb.org/hitbsecconf2011kul/materials/D1T1"
},
{
"source_name": "Android-getRunningTasks",
"description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.",
"source_name": "Android-getRunningTasks",
"url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29"
},
{
"source_name": "StackOverflow-getRunningAppProcesses",
"description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.",
"source_name": "StackOverflow-getRunningAppProcesses",
"url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:34.407Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--22d0ae2c-b8db-4e9a-b807-25381e7083a2",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--cfdde659-57d4-4254-93f9-5a380ff0da94",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.069Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Biometric Spoofing",
"description": "An adversary could attempt to spoof a mobile device's biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1063",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1063"
},
{
"source_name": "SRLabs-Fingerprint",
"description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.",
"source_name": "SRLabs-Fingerprint",
"url": "https://srlabs.de/bites/spoofing-fingerprints/"
},
{
"source_name": "Apple-TouchID",
"description": "Apple. (2015, November 3). About Touch ID security on iPhone and iPad. Retrieved December 23, 2016.",
"source_name": "Apple-TouchID",
"url": "https://support.apple.com/en-us/HT204587"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.069Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c38a8e11-862f-46e3-bfd0-904063c2e1a1",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--ffd0e792-4ba6-458f-acb8-bc5ad81352f5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:31.294Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify OS Kernel or Boot Partition",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.\n\nDetection: The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,41 +15,49 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1001",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1001"
},
{
"external_id": "APP-26",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"external_id": "APP-26"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html"
},
{
"external_id": "APP-27",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html"
},
{
"source_name": "Samsung-KnoxWarrantyBit",
"description": "Samsung. (n.d.). What is a Knox Warranty Bit and how is it triggered?. Retrieved December 21, 2016.",
"source_name": "Samsung-KnoxWarrantyBit",
"url": "https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"source_name": "Apple-iOSSecurityGuide",
"url": "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:31.294Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--8bdc1b01-63b8-4b76-8325-2bb540468d0f",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--55d86731-cc83-4412-bb32-94ea22b7a4bb",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.535Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Contact List",
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1035",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1035"
},
{
"external_id": "APP-13",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.535Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--8aa4f23f-d4e9-4a6f-8efd-9f9f3a71969f",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--a6f0a012-e92a-44ef-b782-90c1c57e21d2",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:16.288Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Abuse of iOS Enterprise App Signing Key",
"description": "An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).\n\nDetection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.\n\nPlatforms: iOS",
"kill_chain_phases": [
@@ -19,30 +11,38 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1048",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1048"
},
{
"external_id": "ECO-23",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-23.html",
"external_id": "ECO-23"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-23.html"
},
{
"source_name": "Xiao-iOS",
"description": "Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.",
"source_name": "Xiao-iOS",
"url": "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:16.288Z",
"x_mitre_platforms": [
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--9a438738-241a-406a-bc77-2f764bd1d6aa",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fe0fbb59-7887-4d86-94d7-862c4079c42b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.864Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit SS7 to Track Device Location",
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices, for example as described in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security) and (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC-WG1-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,33 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1053",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1053"
},
{
"external_id": "CEL-38",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html",
"external_id": "CEL-38"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html"
},
{
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
"source_name": "Engel-SS7",
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
},
{
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
"source_name": "3GPP-Security",
"url": "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf"
},
{
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
"source_name": "Positive-SS7",
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"source_name": "CSRIC5-WG10-FinalReport",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
},
{
@@ -56,13 +48,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.864Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b504f957-44f9-4c06-a9e2-c7e94181b075",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
+16 -16
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--ba51d14c-8915-44f3-8347-d3cf463c562e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.827Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Remotely Wipe Data Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).\n\nDetection: Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,36 +11,44 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1072",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1072"
},
{
"external_id": "ECO-5",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"external_id": "ECO-5"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html"
},
{
"external_id": "EMM-7",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"external_id": "EMM-7"
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html"
},
{
"source_name": "Honan-Hacking",
"description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.",
"source_name": "Honan-Hacking",
"url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.827Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--27499158-10b1-4c8e-b4a5-753f2f9fd44a",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fe5375e0-d340-4eee-b36e-d594bde9bab8",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:20.727Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Calendar Entries",
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1038",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1038"
},
{
"external_id": "APP-13",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:20.727Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--9adb36f3-b049-41bf-b6de-bc894689245d",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--8ad5cb49-6071-4a4e-b3b4-3c109fb8c621",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.354Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Rogue Wi-Fi Access Points",
"description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,36 +11,44 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1068",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1068"
},
{
"external_id": "LPN-0",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html",
"external_id": "LPN-0"
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html"
},
{
"source_name": "NIST-SP800153",
"description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016.",
"source_name": "NIST-SP800153",
"url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf"
},
{
"source_name": "Kaspersky-DarkHotel",
"description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.",
"source_name": "Kaspersky-DarkHotel",
"url": "https://blog.kaspersky.com/darkhotel-apt/6613/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.354Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--23b498ee-c647-4a03-bab8-107d63d65f5a",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
+16 -16
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--01a4ae4d-7984-4e0a-91c6-a1e12a94baf3",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:23.233Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit via Charging Station or PC",
"description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,41 +11,49 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1061",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1061"
},
{
"external_id": "PHY-1",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html",
"external_id": "PHY-1"
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html"
},
{
"source_name": "Krebs-JuiceJacking",
"description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.",
"source_name": "Krebs-JuiceJacking",
"url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/"
},
{
"source_name": "Lau-Mactans",
"description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.",
"source_name": "Lau-Mactans",
"url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf"
},
{
"source_name": "IBM-NexusUSB",
"description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.",
"source_name": "IBM-NexusUSB",
"url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:23.233Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--55145adc-d2e4-4286-89d0-304be0618bfe",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--13d518d9-4f18-403c-80ff-bef865948414",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:12.913Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Microphone or Camera Recordings",
"description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone or the camera through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1032",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1032"
},
{
"external_id": "APP-19",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html",
"external_id": "APP-19"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:12.913Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--a299b45b-f658-4f28-964c-5aededb87154",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--79203aae-8000-4c09-a99e-6fa029f22613",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.158Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Standard Application Layer Protocol",
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,31 +15,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1040",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1040"
},
{
"external_id": "APP-29",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
"external_id": "APP-29"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"source_name": "Kaspersky-MobileMalware",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.158Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e854ff45-0f77-4a1c-b849-e6e918a238e1",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--ce2b6eb7-7e53-42f2-a3ae-d3556c14396e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.861Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "App Delivered via Web Download",
"description": "The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1034",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1034"
},
{
"external_id": "AUT-9",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"external_id": "AUT-9"
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html"
},
{
"external_id": "ECO-21",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html",
"external_id": "ECO-21"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.861Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--73818c49-0246-4f5e-b496-66061f70697c",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--866fff0f-17bf-43a3-bfe8-4edc10e19ac2",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.460Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Download New Code at Runtime",
"description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). (Citation: Wang) et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,46 +11,54 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1010",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1010"
},
{
"external_id": "APP-20",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
"external_id": "APP-20"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html"
},
{
"source_name": "Poeplau-ExecuteThis",
"description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014, February). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved December 21, 2016.",
"source_name": "Poeplau-ExecuteThis",
"url": "https://www.internetsociety.org/sites/default/files/10%205%200.pdf"
},
{
"source_name": "Bromium-AndroidRCE",
"description": "Tom Sutcliffe. (2014, July 31). Remote code execution on Android devices. Retrieved December 9, 2016.",
"source_name": "Bromium-AndroidRCE",
"url": "https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/"
},
{
"source_name": "FireEye-JSPatch",
"description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.",
"source_name": "FireEye-JSPatch",
"url": "https://www.fireeye.com/blog/threat-research/2016/01/hot%20or%20not%20the%20bene.html"
},
{
"source_name": "Wang",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.",
"source_name": "Wang",
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.460Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--0b1237a1-f3fa-4145-b251-9a27999b81e2",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--29d9a31e-2161-446d-93e5-46825d7c8261",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.023Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Remotely Track Device Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.\n\nDetection: Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1071",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1071"
},
{
"external_id": "ECO-5",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"external_id": "ECO-5"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html"
},
{
"external_id": "EMM-7",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"external_id": "EMM-7"
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.023Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b7f0ab60-c819-42bb-840c-fd993b61f2ff",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--be272038-54bc-4c4e-806b-cf2ada4da58e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:15.402Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Sensitive Data or Credentials in Files",
"description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,26 +15,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1012",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1012"
},
{
"external_id": "AUT-0",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html",
"external_id": "AUT-0"
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:15.402Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--dc53e9e8-da85-4ab0-a885-7aad90e3b62f",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--7fa54bc5-0145-4301-bf6c-8954e5206999",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.460Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Manipulate App Store Rankings or Ratings",
"description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,21 +11,29 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1055",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1055"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.460Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c1bd243e-82ce-4da3-8c9f-60c3eacddee9",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--dd1cf188-4a22-432e-a651-efe2efe5a4af",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.008Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Android Intent Hijacking",
"description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1019",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1019"
},
{
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
"source_name": "IETF-PKCE",
"url": "https://tools.ietf.org/html/rfc7636"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.008Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--8cd5d733-aed2-4ca7-ac2b-355a32fd2b07",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--2ed6a166-da88-4d9c-a54c-33496d5aa314",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.116Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Call Log",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.\n\nDetection: On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1036",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1036"
},
{
"external_id": "APP-13",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.116Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--53568d9b-ce5c-43af-8068-f4f1c50cdae2",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--972628ce-09ce-464d-9c08-99bb5bd405c5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.774Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Abuse Device Administrator Access to Prevent Removal",
"description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.\n\nDetection: The device user can view a list of apps with Device Administrator privilege in the device settings.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1004",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1004"
},
{
"external_id": "APP-22",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
"external_id": "APP-22"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.774Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--d560d67c-bfc3-4dcd-b19f-25e50587ed25",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--ddebdc6c-987a-4905-9f61-a2639eb56c7d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:34.830Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Remotely Install Application",
"description": "An adversary with control of a target's Google account can use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,35 +11,43 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1046",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1046"
},
{
"external_id": "ECO-4",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html",
"external_id": "ECO-4"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html"
},
{
"source_name": "Oberheide-RemoteInstall",
"description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.",
"source_name": "Oberheide-RemoteInstall",
"url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/"
},
{
"source_name": "Konoth",
"description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.",
"source_name": "Konoth",
"url": "http://www.vvdveen.com/publications/BAndroid.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:34.830Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--79044b80-1099-4998-aeb8-a46a3518cbef",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--6d1e64e6-3e2b-41a5-a06e-2a8e1a16cb16",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.092Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify cached executable code",
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.\n\nSabanal describes the potential use of this technique in (Citation: Sabanal-ART).\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1006",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1006"
},
{
"source_name": "Sabanal-ART",
"description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016.",
"source_name": "Sabanal-ART",
"url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.092Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c03bc5e2-1cf1-402d-a4ca-1e062c68dc19",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--d17e5966-ea12-4c80-ab7a-5cc2410b83c2",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.456Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Device Type Discovery",
"description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1022",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1022"
},
{
"source_name": "Android-Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
"source_name": "Android-Build",
"url": "https://zeltser.com/third-party-keyboards-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.456Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b9c217ee-92b8-4542-a425-cbd031b16125",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fcfd16e2-8319-4a29-8295-78143b992f33",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:31.694Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Wipe Device Data",
"description": "A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,20 +11,28 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1050",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1050"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:31.694Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--cebdd34f-c7fa-4cc0-a2b6-b764ea4186c2",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--b8925aec-7279-458a-b96b-df3bdb5cd91d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.082Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Premium SMS Toll Fraud",
"description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).\n\nDetection: As described in Google's Android Security 2014 Year in Review Report (Citation: AndroidSecurity2014), starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,30 +11,38 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1051",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1051"
},
{
"source_name": "Lookout-SMS",
"description": "Ryan Sammy. (2013, August 2). 10 Organizations Build 60% of Russian Toll Fraud Malware. Retrieved December 22, 2016.",
"source_name": "Lookout-SMS",
"url": "https://blog.lookout.com/blog/2013/08/02/dragon-lady/"
},
{
"source_name": "AndroidSecurity2014",
"description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.",
"source_name": "AndroidSecurity2014",
"url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google%20Android%20Security%202014%20Report%20Final.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.082Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--2b7fbbc1-d083-4a66-8223-78c94d45bf9d",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fd788c96-2b60-4513-82cd-d549bf55ddf1",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.533Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "URL Scheme Hijacking",
"description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.\n\nPlatforms: iOS",
"kill_chain_phases": [
@@ -19,45 +11,53 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1018",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1018"
},
{
"external_id": "AUT-10",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
"external_id": "AUT-10"
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html"
},
{
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
"source_name": "IETF-PKCE",
"url": "https://tools.ietf.org/html/rfc7636"
},
{
"source_name": "MobileIron-XARA",
"description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
"source_name": "MobileIron-XARA",
"url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
},
{
"source_name": "Dhanjani-URLScheme",
"description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
"source_name": "Dhanjani-URLScheme",
"url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
},
{
"source_name": "FireEye-Masque2",
"description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.",
"source_name": "FireEye-Masque2",
"url": "https://www.fireeye.com/blog/threat-research/2015/02/ios%20masque%20attackre.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.533Z",
"x_mitre_platforms": [
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--1fc35cc7-072d-4501-9ec7-3fbe87a9c45e",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--2f583b1e-fa0a-46d0-83d9-d7f911f007b1",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:12.267Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Location Tracking",
"description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1033",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1033"
},
{
"external_id": "APP-24",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html",
"external_id": "APP-24"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:12.267Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--fee2456b-74f4-47ef-bca1-de29e5a22b39",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--69009618-18d8-4ba4-b094-1ad0f59d2942",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.886Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Lock User Out of Device",
"description": "An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device (Citation: KeyRaider).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1049",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1049"
},
{
"external_id": "APP-28",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
"external_id": "APP-28"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html"
},
{
"source_name": "KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"source_name": "KeyRaider",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.886Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--596e8b57-7d35-4fb1-820c-e2b90b3468bf",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--779d5261-ebde-40c5-9d93-d98728d54f5b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:13.625Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Attack PC via USB Connection",
"description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,35 +11,43 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1030",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1030"
},
{
"external_id": "PHY-2",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
"external_id": "PHY-2"
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html"
},
{
"source_name": "Wang-ExploitingUSB",
"description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016.",
"source_name": "Wang-ExploitingUSB",
"url": "http://dl.acm.org/citation.cfm?id=1920314"
},
{
"source_name": "ArsTechnica-PoisonTap",
"description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.",
"source_name": "ArsTechnica-PoisonTap",
"url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:13.625Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--463d874f-23c1-4c76-b521-8e47938caca1",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json
+16 -16
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--07b70640-3ed7-4c08-a460-2cc7654cc29a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:05.928Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Stolen Developer Credentials or Signing Keys",
"description": "An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).\n\nDetection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,36 +11,44 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1044",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1044"
},
{
"external_id": "ECO-16",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html",
"external_id": "ECO-16"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html"
},
{
"external_id": "ECO-17",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html",
"external_id": "ECO-17"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html"
},
{
"source_name": "Infoworld-Appstore",
"description": "Galen Gruman. (2014, December 5). Keep out hijackers: Secure your app store dev account. Retrieved December 22, 2016.",
"source_name": "Infoworld-Appstore",
"url": "http://www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:05.928Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--d98d1e06-2e99-492a-9824-918f7e9a5252",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--087172d1-bb9e-4b53-bdf7-0af704e024db",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:22.296Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Rogue Cellular Base Station",
"description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1070",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1070"
},
{
"external_id": "CEL-7",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"external_id": "CEL-7"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html"
},
{
"source_name": "Computerworld-Femtocell",
"description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.",
"source_name": "Computerworld-Femtocell",
"url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:22.296Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--9d329ab0-6b55-4331-84ca-d9332ca2e1ca",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json
+16 -16
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--1227437a-f9df-43f1-a5ab-5bb7c911bfd8",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:20.329Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "SIM Card Swap",
"description": "An adversary could convince the mobile network operator (e.g. through social networking or forged identification) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts (Citation: Guardian-Simswap).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,41 +11,49 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1054",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1054"
},
{
"external_id": "STA-22",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html",
"external_id": "STA-22"
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html"
},
{
"source_name": "NYGov-Simswap",
"description": "New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.",
"source_name": "NYGov-Simswap",
"url": "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html"
},
{
"source_name": "Betanews-Simswap",
"description": "Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016.",
"source_name": "Betanews-Simswap",
"url": "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/"
},
{
"source_name": "Guardian-Simswap",
"description": "Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.",
"source_name": "Guardian-Simswap",
"url": "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:20.329Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--ac9e2776-f421-48e2-a6e7-ada3c865cad4",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--a9ba80a0-a8b4-4065-a4e4-88246b400376",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:27.660Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Third Party Keyboard App",
"description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,26 +15,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1020",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1020"
},
{
"source_name": "Zeltser-Keyboard",
"description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.",
"source_name": "Zeltser-Keyboard",
"url": "https://zeltser.com/third-party-keyboards-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:27.660Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b4e8a76f-73c3-4141-9260-c5e626411b13",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--ce267057-c798-4265-b5c5-5f97a78c678f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:35.247Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Repackaged Application",
"description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by (Citation: Zhou) and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,31 +15,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1047",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1047"
},
{
"external_id": "APP-14",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
"external_id": "APP-14"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html"
},
{
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"source_name": "Zhou",
"url": "http://ieeexplore.ieee.org/document/6234407"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:35.247Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--7aa2a0c7-44db-4090-a646-94a7c2a26b8a",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--e5141ca2-6e67-473c-8d42-0b3c995115d5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.682Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Media Content",
"description": "Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1060",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1060"
},
{
"external_id": "CEL-22",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html",
"external_id": "CEL-22"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html"
},
{
"source_name": "Zimperium-Stagefright",
"description": "Zimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016.",
"source_name": "Zimperium-Stagefright",
"url": "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.682Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--45e4ec97-6381-4e83-945b-b80ef0e14e76",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json
+16 -16
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fe5b82e9-d46e-4071-ba8a-aaa47f6d2035",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.003Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Disguise Root/Jailbreak Indicators",
"description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by (Citation: Rastogi) et al. (Citation: Rastogi). \n\n (Citation: Brodie) (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\n (Citation: Tan) (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,41 +11,49 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1011",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1011"
},
{
"external_id": "EMM-5",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html",
"external_id": "EMM-5"
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html"
},
{
"source_name": "Rastogi",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.",
"source_name": "Rastogi",
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"
},
{
"source_name": "Brodie",
"description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.",
"source_name": "Brodie",
"url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf"
},
{
"source_name": "Tan",
"description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.",
"source_name": "Tan",
"url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.003Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--f4a17a08-91c6-472f-aa09-47019b53c414",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--03b2e2b3-2d44-4afa-96d4-5fc136d28f5e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:27.307Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Alternate Network Mediums",
"description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,26 +15,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1041",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1041"
},
{
"external_id": "APP-30",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
"external_id": "APP-30"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:27.307Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--4af7728c-64ee-432d-b941-8b056b485dc8",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json
+21 -21
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--f80dd6ad-843c-4e23-805e-8b29db918c2d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.473Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Detect App Analysis Environment",
"description": "An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.\n\nDiscussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).\n\n (Citation: Wang) presents a discussion of iOS anti-analysis techniques.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,56 +11,64 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1043",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1043"
},
{
"external_id": "APP-20",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
"external_id": "APP-20"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html"
},
{
"external_id": "APP-21",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
"external_id": "APP-21"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html"
},
{
"external_id": "ECO-22",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html",
"external_id": "ECO-22"
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html"
},
{
"source_name": "Petsas",
"description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.",
"source_name": "Petsas",
"url": "http://dl.acm.org/citation.cfm?id=2592796"
},
{
"source_name": "Oberheide-Bouncer",
"description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.",
"source_name": "Oberheide-Bouncer",
"url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf"
},
{
"source_name": "Percoco-Bouncer",
"description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.",
"source_name": "Percoco-Bouncer",
"url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH%20US%2012%20Percoco%20Adventures%20in%20Bouncerland%20WP.pdf"
},
{
"source_name": "Wang",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.",
"source_name": "Wang",
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.473Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b17bf3ff-a00a-46e1-be91-404f9a39b4f5",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--33508785-321a-45c3-9f96-0dde3d2818a2",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.905Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Software Development Tools",
"description": "As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\n\nDetection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1065",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1065"
},
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"source_name": "PaloAlto-XcodeGhost1",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.905Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--13f72d95-80c2-4e10-af63-bd2cef04010b",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--8f0932e8-1cc4-409c-912b-7647615a39d5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.127Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "App Auto-Start at Device Boot",
"description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n (Citation: Zhou) and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1005",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1005"
},
{
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"source_name": "Zhou",
"url": "http://ieeexplore.ieee.org/document/6234407"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.127Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c95e8aaf-311d-4c4f-b3b4-c985afcef0e4",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--d32d38cb-717e-40ab-a923-e4874f864f6e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.996Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Capture Clipboard Data",
"description": "A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,26 +15,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1017",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1017"
},
{
"external_id": "APP-35",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html",
"external_id": "APP-35"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.996Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--1149d3c4-2c2f-4a1a-af71-fb0f2a7bdcf6",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--da184c4c-1f67-4388-b39f-87537da219f0",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.890Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify System Partition",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.\n\nDetection: Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,36 +15,44 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1003",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1003"
},
{
"external_id": "APP-27",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html"
},
{
"source_name": "Android-VerifiedBoot",
"description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
"source_name": "Android-VerifiedBoot",
"url": "https://source.android.com/security/verifiedboot/"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"source_name": "Apple-iOSSecurityGuide",
"url": "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.890Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--457fe7d2-1e75-4103-a49f-c61d289def69",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--bf954120-ed21-40c6-823b-02aa9bdc11fb",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.149Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit Baseband Vulnerability",
"description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,41 +11,49 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1058",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1058"
},
{
"external_id": "STA-18",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-18.html",
"external_id": "STA-18"
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-18.html"
},
{
"external_id": "STA-19",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-19.html",
"external_id": "STA-19"
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-19.html"
},
{
"source_name": "Register-BaseStation",
"description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016.",
"source_name": "Register-BaseStation",
"url": "http://www.theregister.co.uk/2015/11/12/mobile%20pwn2own1/"
},
{
"source_name": "Weinmann-Baseband",
"description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.",
"source_name": "Weinmann-Baseband",
"url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.149Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--3a8395d5-4ce9-44fb-b271-5d487f1ad162",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--ec4829db-f776-4d72-8318-09e4a3f584de",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.965Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "File and Directory Discovery",
"description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,20 +11,28 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1023",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1023"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.965Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--86779268-e023-40c5-9924-2c260fe7c023",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--1fee823f-4970-4c37-adcf-96db128585c4",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.328Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obfuscated or Encrypted Payload",
"description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,46 +11,54 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1009",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1009"
},
{
"external_id": "APP-21",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
"external_id": "APP-21"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html"
},
{
"source_name": "Rastogi",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.",
"source_name": "Rastogi",
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"
},
{
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"source_name": "Zhou",
"url": "http://ieeexplore.ieee.org/document/6234407"
},
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"source_name": "TrendMicro-Obad",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
},
{
"source_name": "Xiao-iOS",
"description": "Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.",
"source_name": "Xiao-iOS",
"url": "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.328Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--53eb4bb1-73ca-4764-9a17-e76b15e5b0e3",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json
+20 -20
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--d04f124b-e557-4590-8636-82bbaf0436db",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:25.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Jamming or Denial of Service",
"description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating as described in draft NIST SP 800-187 (Citation: NIST-SP800187).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,46 +15,54 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1067",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1067"
},
{
"external_id": "CEL-7",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"external_id": "CEL-7"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html"
},
{
"external_id": "CEL-8",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html",
"external_id": "CEL-8"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html"
},
{
"external_id": "LPN-5",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html",
"external_id": "LPN-5"
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html"
},
{
"external_id": "GPS-0",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html",
"external_id": "GPS-0"
"url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html"
},
{
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2016, November). Guide to LTE Security (DRAFT). Retrieved January 20, 2017.",
"source_name": "NIST-SP800187",
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:25.740Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--6a9b0fa2-6a15-43ad-9b88-3a27304cf207",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--80bc3620-a128-4dcb-985a-b02d4a4cb834",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Local Network Configuration Discovery",
"description": "On Android, details of onboard network interfaces are accessible to apps through the java.net. (Citation: NetworkInterface) class (Citation: NetworkInterface). The Android (Citation: TelephonyManager) class can be used to gather related information such as the IMSI, IMEI, and phone number (Citation: TelephonyManager).\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,30 +11,38 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1025",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1025"
},
{
"source_name": "NetworkInterface",
"description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.",
"source_name": "NetworkInterface",
"url": "https://developer.android.com/reference/java/net/NetworkInterface.html"
},
{
"source_name": "TelephonyManager",
"description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.",
"source_name": "TelephonyManager",
"url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.740Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--3cf91ec6-5744-4d8c-9758-22863d7e806e",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fa5752af-9fb8-4e2f-918b-b42c3759fa06",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:25.322Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Manipulate Device Communication",
"description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1066",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1066"
},
{
"external_id": "APP-1",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"external_id": "APP-1"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html"
},
{
"source_name": "FireEye-SSL",
"description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.",
"source_name": "FireEye-SSL",
"url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:25.322Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--21732dca-1bd8-45b8-ae0d-ed5c51b89009",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--adb75985-eb63-4b7e-91f8-e9098057216f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:10.285Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Encrypt Files for Ransom",
"description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1074",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1074"
},
{
"external_id": "APP-28",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
"external_id": "APP-28"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:10.285Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--0ef81f23-51b3-41f5-badb-00ecaed13617",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--fe5645ed-048d-4858-9e67-99fb36fbf07c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.574Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Local Network Connections Discovery",
"description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -19,25 +11,33 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1024",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1024"
},
{
"source_name": "ConnMonitor",
"description": "Anti Spy Mobile. (2016, March 14). Network Connections. Retrieved December 21, 2016.",
"source_name": "ConnMonitor",
"url": "https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.574Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e3dc7dd7-b8b6-44f0-b472-aa02200ccfa9",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--6eb39a9d-8658-4807-b171-783127c12523",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.488Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Lockscreen Bypass",
"description": "Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lock screen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1064",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1064"
},
{
"source_name": "Wired-AndroidBypass",
"description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.",
"source_name": "Wired-AndroidBypass",
"url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/"
},
{
"source_name": "Kaspersky-iOSBypass",
"description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.",
"source_name": "Kaspersky-iOSBypass",
"url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.488Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--44c40aa2-dadf-4a0a-bf74-79eaaad9161f",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--15388a94-95b7-453e-907a-f32dcd82f687",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.265Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "System Information Discovery",
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,31 +11,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1029",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1029"
},
{
"source_name": "Android-Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
"source_name": "Android-Build",
"url": "https://zeltser.com/third-party-keyboards-security/"
},
{
"source_name": "StackOverflow-iOSVersion",
"description": "Stack Overflow. (n.d.). How can we programmatically detect which iOS version is device running on?. Retrieved December 21, 2016.",
"source_name": "StackOverflow-iOSVersion",
"url": "http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.265Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e24033a3-c319-4e5b-9e08-17bb6b58680b",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--8680796f-39be-4c2d-a90d-952651c12c05",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.786Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Fake Developer Accounts",
"description": "An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1045",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1045"
},
{
"source_name": "Oberheide-Bouncer",
"description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.",
"source_name": "Oberheide-Bouncer",
"url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.786Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--17fb22dd-1a68-4bbe-8219-c9cf026c59ea",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--c4643ba4-6ce9-49af-99f1-f81b10492ae9",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:15.920Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Capture SMS Messages",
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,21 +15,29 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1015",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:15.920Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--00add81d-9dfa-4955-8386-8810ff82f87c",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--578c1e5f-3e73-4a45-9293-9655b7709702",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:22.716Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit TEE Vulnerability",
"description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -23,45 +15,53 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1008",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1008"
},
{
"external_id": "APP-27",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html"
},
{
"source_name": "Thomas-TrustZone",
"description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016.",
"source_name": "Thomas-TrustZone",
"url": "https://usmile.at/symposium/program/2015/thomas-holmes"
},
{
"source_name": "QualcommKeyMaster",
"description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016.",
"source_name": "QualcommKeyMaster",
"url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html"
},
{
"source_name": "EkbergTEE",
"description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.",
"source_name": "EkbergTEE",
"url": "https://usmile.at/symposium/program/2015/ekberg"
},
{
"source_name": "laginimaineb-TEE",
"description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.",
"source_name": "laginimaineb-TEE",
"url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:22.716Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--12e72a1a-0d10-4e24-a6f2-5805bfcc3bba",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json
+15 -15
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--e0afd80c-25ac-4054-885a-1dc313e48881",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.583Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify Trusted Execution Environment",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).\n\nDetection: Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.\n\nPlatforms: Android",
"kill_chain_phases": [
@@ -23,35 +15,43 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1002",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1002"
},
{
"external_id": "APP-27",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html"
},
{
"source_name": "Roth-Rootkits",
"description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016.",
"source_name": "Roth-Rootkits",
"url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"source_name": "Apple-iOSSecurityGuide",
"url": "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.583Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--5706df88-de7c-48ac-a539-c2b7672b243a",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json
+12 -12
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--f43b421c-802b-4baa-8b46-bfe8eed63787",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:23.652Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Device Unlock Code Guessing or Brute Force",
"description": "An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1062",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1062"
},
{
"source_name": "PopSci-IPBox",
"description": "Dan Moren. (2015, March 18). This Box Can Figure Out Your 4-Digit iPhone Passcode. Retrieved December 23, 2016.",
"source_name": "PopSci-IPBox",
"url": "http://www.popsci.com/box-can-figure-out-your-4-digit-iphone-passcode"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:23.652Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--72ea473f-9752-4dc8-a9bf-5e92f6bf57a2",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json
+14 -14
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--141b2de1-a007-48a7-88d0-56806970e53b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.667Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Downgrade to Insecure Protocols",
"description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in draft NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -23,31 +15,39 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1069",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1069"
},
{
"external_id": "CEL-3",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html",
"external_id": "CEL-3"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html"
},
{
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2016, November). Guide to LTE Security (DRAFT). Retrieved January 20, 2017.",
"source_name": "NIST-SP800187",
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.667Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--ebdb12eb-fc7f-43a8-a8e7-02238a0f69e7",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--6ddc78a1-549f-4b73-a712-813c61b8a6b3",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.937Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Generate Fraudulent Advertising Revenue",
"description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,21 +11,29 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1075",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1075"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.937Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
]
],
"id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--76671477-00e1-4ee8-8a38-d4283feb8b28",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json
+11 -11
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--283652e0-5e93-4a22-b92e-bbf5bc2786be",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.446Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious or Vulnerable Built-in Device Functionality",
"description": "The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,21 +11,29 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1076"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.446Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--02e3b270-40a5-4560-80bc-db711c9e7117",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json
+17 -17
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--5b67b356-1e80-498a-b06b-2c7c8ac3593b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:06.524Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. These issues are discussed in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security), (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC5-WG10-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,46 +11,54 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1052",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1052"
},
{
"external_id": "CEL-37",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html",
"external_id": "CEL-37"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html"
},
{
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
"source_name": "Engel-SS7",
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
},
{
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
"source_name": "3GPP-Security",
"url": "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf"
},
{
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
"source_name": "Positive-SS7",
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"source_name": "CSRIC5-WG10-FinalReport",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:06.524Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
]
],
"id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--2f0dbd1f-ec66-4e7d-b333-65f04c8ca6c8",
"spec_version": "2.0"
}
mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json
+13 -13
View File
@@ -1,14 +1,6 @@
{
"type": "bundle",
"id": "bundle--5b2d4981-20cc-4a1d-86f4-23b1d73ab339",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:06.822Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Web Content",
"description": "Content of a web page could be designed to exploit vulnerabilities in a web browser running on the mobile device.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
@@ -19,26 +11,34 @@
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1059",
"source_name": "mitre-mobile-attack",
"external_id": "MOB-T1059"
},
{
"external_id": "CEL-22",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html",
"external_id": "CEL-22"
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:06.822Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
]
],
"id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"modified": "2018-04-13T17:05:30.756Z",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--0eb47f37-3e78-406d-82c7-9083860f4204",
"spec_version": "2.0"
}