adpare
75 lines
4.1 KiB
JSON
75 lines
4.1 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--3760e7eb-ddb0-4059-a6cd-6e0fa203fa72",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "x-mitre-analytic",
|
|
"id": "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184",
|
|
"created": "2025-10-21T15:10:28.402Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1737",
|
|
"external_id": "AN1737"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2026-04-13T18:45:30.914Z",
|
|
"name": "Analytic 1737",
|
|
"description": "Correlates (1) application access to device- or environment-specific attributes used to validate target conditions, (2) suppression of sensitive behavior until those attributes match an expected value, and (3) immediate transition into protected actions such as sensor use, file access, or network communication only after the condition is satisfied. The defender observes a causal chain where an app repeatedly evaluates device state or environment context and withholds execution until a target-specific match occurs.",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "1.1",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"x_mitre_log_source_references": [
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
|
|
"name": "android:MDMLog",
|
|
"channel": "application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed"
|
|
}
|
|
],
|
|
"x_mitre_mutable_elements": [
|
|
{
|
|
"field": "TimeWindow",
|
|
"description": "Correlation window between environment checks and subsequent guarded execution"
|
|
},
|
|
{
|
|
"field": "TargetAttributeSet",
|
|
"description": "Environment attributes treated as likely guardrail inputs, such as locale, geolocation, carrier, Wi-Fi identity, device model, or lock state"
|
|
},
|
|
{
|
|
"field": "DormancyThreshold",
|
|
"description": "Amount of suppressed or low-activity runtime before sensitive behavior begins"
|
|
},
|
|
{
|
|
"field": "AllowedAppList",
|
|
"description": "Baseline of legitimate apps expected to evaluate environment attributes before conditional feature activation"
|
|
},
|
|
{
|
|
"field": "ForegroundStateRequired",
|
|
"description": "Whether guarded execution is only suspicious when activated from background or without recent user interaction"
|
|
},
|
|
{
|
|
"field": "UplinkBytesThreshold",
|
|
"description": "Minimum outbound traffic volume used to distinguish meaningful guarded execution from benign telemetry"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
} |