adpare
80 lines
4.2 KiB
JSON
80 lines
4.2 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--356e2a4d-9c18-4fb5-9053-09f9974ce7a2",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "x-mitre-analytic",
|
|
"id": "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4",
|
|
"created": "2025-10-21T15:10:28.402Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/detectionstrategies/DET0598#AN1644",
|
|
"external_id": "AN1644"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2026-04-24T20:30:18.846Z",
|
|
"name": "Analytic 1644",
|
|
"description": "Correlates (1) an application obtaining or maintaining elevated control mechanisms capable of resisting removal (device administrator, accessibility control, managed-owner posture), (2) user navigation into uninstall or application-management flows, and (3) immediate UI redirection, back-navigation injection, modal dismissal, or failed uninstall completion followed by continued app presence. Defender observes a causal chain where a removal attempt is actively disrupted and the target application remains installed.",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "1.1",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"x_mitre_log_source_references": [
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
|
|
"name": "android:MDMLog",
|
|
"channel": "application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
|
|
"name": "android:MDMLog",
|
|
"channel": "application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground"
|
|
}
|
|
],
|
|
"x_mitre_mutable_elements": [
|
|
{
|
|
"field": "TimeWindow",
|
|
"description": "Correlation window between uninstall UI entry, interference event, and continued install state"
|
|
},
|
|
{
|
|
"field": "ProtectedRoleSet",
|
|
"description": "Set of elevated roles considered removal-resistant (device admin, owner modes, accessibility)"
|
|
},
|
|
{
|
|
"field": "GlobalActionSet",
|
|
"description": "UI actions considered suspicious during uninstall flows (BACK, HOME, RECENTS)"
|
|
},
|
|
{
|
|
"field": "AllowedAccessibilityApps",
|
|
"description": "Known legitimate accessibility services expected to use global actions"
|
|
},
|
|
{
|
|
"field": "UninstallRetryThreshold",
|
|
"description": "Number of repeated uninstall attempts before escalation"
|
|
},
|
|
{
|
|
"field": "UplinkBytesThreshold",
|
|
"description": "Outbound traffic threshold confirming continued meaningful activity after failed removal"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
} |