cti/mobile-attack/x-mitre-analytic/x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30.json

{
    "type": "bundle",
    "id": "bundle--f6fe9285-dfcc-4668-a6ef-932db7668847",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1675",
                    "external_id": "AN1675"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-03-17T20:48:31.295Z",
            "name": "Analytic 1675",
            "description": "The defender correlates an app-attributed request to a legitimate public web platform with a subsequent outbound connection to a newly derived or previously unseen destination within a short time window. The behavior is strengthened when the initial request retrieves structured or encoded content followed by a pivot to a different domain or IP that was not previously contacted by the app, especially when occurring without user interaction, in background state, or immediately after app initialization or scheduled execution. This sequence reflects resolver retrieval followed by dynamic C2 resolution.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
                    "name": "VPN:MobileProxy",
                    "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
                    "name": "VPN:MobileProxy",
                    "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
                    "name": "VPN:MobileProxy",
                    "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
                    "name": "MobileEDR:telemetry",
                    "channel": "AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
                    "name": "MobileEDR:telemetry",
                    "channel": "LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
                    "name": "MobileEDR:telemetry",
                    "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "android:MDMLog",
                    "channel": "App initiating resolver\u2192pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "TimeWindow",
                    "description": "Maximum allowed time between resolver retrieval and pivot connection (e.g., 5\u201360 seconds)."
                },
                {
                    "field": "NewDomainThreshold",
                    "description": "Defines what qualifies as a previously unseen or rare destination for the app or device."
                },
                {
                    "field": "AllowedServiceToDestinationMapping",
                    "description": "Legitimate mappings between apps and expected downstream services."
                },
                {
                    "field": "UserInteractionThreshold",
                    "description": "Defines acceptable delay between user interaction and network activity."
                },
                {
                    "field": "PayloadSizeThreshold",
                    "description": "Small resolver responses followed by larger pivot traffic can indicate extraction behavior."
                }
            ]
        }
    ]
}