adpare
113 lines
7.0 KiB
JSON
113 lines
7.0 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--b5780cae-f74b-4ea1-9021-e85bed8f7c25",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "x-mitre-analytic",
|
|
"id": "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1",
|
|
"created": "2025-10-21T15:10:28.402Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1817",
|
|
"external_id": "AN1817"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2026-03-18T16:25:11.215Z",
|
|
"name": "Analytic 1817",
|
|
"description": "The defender correlates repeated retrieval and outbound submission activity from a supervised device or managed iOS app to the same legitimate public web-service class where the two-way exchange does not fit the bundle's approved role or expected background-refresh model. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, storage, messaging, social, or generic HTTPS platforms where inbound content fetches are followed by outbound writes, uploads, updates, or message submissions within a short window, especially when occurring during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context.",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "1.1",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"iOS"
|
|
],
|
|
"x_mitre_log_source_references": [
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
|
|
"name": "VPN:MobileProxy",
|
|
"channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
|
|
"name": "VPN:MobileProxy",
|
|
"channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
|
|
"name": "VPN:MobileProxy",
|
|
"channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
|
|
"name": "MobileEDR:telemetry",
|
|
"channel": "BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
|
|
"name": "iOS:MDMLog",
|
|
"channel": "Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
|
|
"name": "iOS:unifiedlog",
|
|
"channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform"
|
|
}
|
|
],
|
|
"x_mitre_mutable_elements": [
|
|
{
|
|
"field": "TimeWindow",
|
|
"description": "Correlation window between retrieval and outbound write over the same public web-service class."
|
|
},
|
|
{
|
|
"field": "SupervisedRequired",
|
|
"description": "Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices."
|
|
},
|
|
{
|
|
"field": "AllowedManagedApps",
|
|
"description": "Approved managed bundle identities vary by organization and device profile."
|
|
},
|
|
{
|
|
"field": "AllowedServiceClasses",
|
|
"description": "Some managed apps legitimately perform bidirectional exchanges with collaboration, storage, or messaging services."
|
|
},
|
|
{
|
|
"field": "AllowedReadWriteMappings",
|
|
"description": "Defines which bundles are expected to both retrieve and submit content to a given public service class."
|
|
},
|
|
{
|
|
"field": "BackgroundRefreshBaseline",
|
|
"description": "Expected background read/write network behavior differs across managed app categories."
|
|
},
|
|
{
|
|
"field": "RecentUserInteractionWindow",
|
|
"description": "Defines how close the bidirectional exchange must be to user activity to be considered expected."
|
|
},
|
|
{
|
|
"field": "BeaconIntervalTolerance",
|
|
"description": "Allowed recurrence interval for repeated bidirectional exchanges varies by bundle type."
|
|
}
|
|
]
|
|
}
|
|
]
|
|
} |