cti/mobile-attack/x-mitre-analytic/x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369.json

{
    "type": "bundle",
    "id": "bundle--da463e07-d644-4acf-b363-27aebbd7aeb9",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1733",
                    "external_id": "AN1733"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-04-24T20:30:22.993Z",
            "name": "Analytic 1733",
            "description": "Detects indirect evidence of host-side indicator removal by correlating (1) local artifact creation or compromise-state-relevant activity, (2) later disappearance, alteration, or reporting loss for those artifacts or state indicators, and (3) continued application or device activity under reduced visibility. Because iOS provides weaker direct visibility into some Android-style artifact and jailbreak-indicator manipulation patterns, the defender relies more on app-private artifact lifecycle changes, managed posture shifts, and continued runtime or network activity after expected evidence disappears.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "iOS"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "Application Vetting",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
                    "name": "User Interface",
                    "channel": "None"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "TimeWindow",
                    "description": "Correlation window between artifact disappearance, posture change, and continued activity"
                },
                {
                    "field": "ArtifactTypeSet",
                    "description": "Host artifacts and state indicators monitored for suspicious removal, alteration, or disappearance"
                },
                {
                    "field": "ExpectedTelemetrySources",
                    "description": "Baseline sources expected to continue exposing artifact presence or compromise-relevant state"
                },
                {
                    "field": "TelemetryGapThreshold",
                    "description": "Threshold defining abnormal loss of artifact visibility or managed-state continuity"
                },
                {
                    "field": "ExpectedManagementChanges",
                    "description": "Known legitimate posture or inventory changes that may remove or update artifacts"
                },
                {
                    "field": "UplinkBytesThreshold",
                    "description": "Outbound traffic threshold used to confirm meaningful continued activity after indicator removal"
                }
            ]
        }
    ]
}