{
    "type": "bundle",
    "id": "bundle--77e44641-12d2-4fbb-a8e3-f12562460f88",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1824",
                    "external_id": "AN1824"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-03-16T15:56:09.700Z",
            "name": "Analytic 1824",
            "description": "A legitimate-seeming app or update arrives through an expected or trusted distribution path, but the delivered application begins showing new entitlement exercise, background activity, framework use, sensor access, or network behavior inconsistent with its prior baseline or documented role. Because direct inspection of compromised dependencies or developer tooling is weaker on iOS, the defender emphasizes supervised-device app inventory, post-update behavior drift, new first-run or background patterns, and downstream communications that suggest compromised embedded libraries or manipulated build outputs.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "iOS"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
                    "name": "iOS:MDMLog",
                    "channel": "Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "iOS:MDMLog",
                    "channel": "Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
                    "name": "MobileEDR:telemetry",
                    "channel": "Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
                    "name": "MobileEDR:telemetry",
                    "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "TimeWindow",
                    "description": "Maximum span between install/version change and first suspicious post-delivery behavior."
                },
                {
                    "field": "SupervisedOnly",
                    "description": "Whether the analytic should only apply to supervised devices with high-confidence managed app telemetry."
                },
                {
                    "field": "AllowedAppList",
                    "description": "Approved apps expected to change capabilities, services, or destinations because of legitimate releases."
                },
                {
                    "field": "AllowedVersionChangeWindow",
                    "description": "Grace period after an approved release during which limited behavior drift may be expected."
                },
                {
                    "field": "CapabilityDriftThreshold",
                    "description": "Threshold for how much entitlement or capability drift is tolerated for a known app."
                },
                {
                    "field": "SensorDriftThreshold",
                    "description": "Threshold for newly used sensors or privacy-sensitive resources tolerated for a known app."
                },
                {
                    "field": "ForegroundStateRequired",
                    "description": "Whether certain behaviors should only be treated as suspicious when they occur without visible user interaction."
                },
                {
                    "field": "RecentUserInteractionWindow",
                    "description": "Threshold for distinguishing autonomous post-update activity from normal user-driven first-run behavior."
                },
                {
                    "field": "DestinationAllowList",
                    "description": "Expected domains, telemetry services, or APIs associated with approved app updates and known SDK behavior."
                }
            ]
        }
    ]
}