adpare
86 lines
4.6 KiB
JSON
86 lines
4.6 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--68b9572e-de87-4982-ac90-2bb20aaf709a",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "x-mitre-analytic",
|
|
"id": "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c",
|
|
"created": "2025-10-21T15:10:28.402Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1762",
|
|
"external_id": "AN1762"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2026-04-06T15:51:25.896Z",
|
|
"name": "Analytic 1762",
|
|
"description": "An application generates, imports, or accesses asymmetric keypairs (e.g., RSA/ECC), uses a public key to encrypt outbound data or establish encrypted sessions, and transmits resulting ciphertext in structured communication patterns. Detection correlates keypair lifecycle activity + asymmetric crypto API usage + data transformation + background execution context + network transmission, especially when inconsistent with expected application functionality.",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "1.1",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"x_mitre_log_source_references": [
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
|
|
"name": "android:MDMLog",
|
|
"channel": "App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior"
|
|
}
|
|
],
|
|
"x_mitre_mutable_elements": [
|
|
{
|
|
"field": "TimeWindow",
|
|
"description": "Correlation window between keypair usage and outbound communication"
|
|
},
|
|
{
|
|
"field": "AllowedCryptoApps",
|
|
"description": "Apps expected to use asymmetric cryptography (e.g., secure messaging, VPN, enterprise auth apps)"
|
|
},
|
|
{
|
|
"field": "ForegroundStateRequired",
|
|
"description": "Whether key generation/encryption should occur only during user interaction"
|
|
},
|
|
{
|
|
"field": "KeyGenerationThreshold",
|
|
"description": "Frequency of keypair generation/import events considered anomalous"
|
|
},
|
|
{
|
|
"field": "PayloadSizeVariance",
|
|
"description": "Expected variability in payload sizes due to asymmetric encryption overhead"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
} |