cti/mobile-attack/x-mitre-analytic/x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106.json

{
    "type": "bundle",
    "id": "bundle--d12e6d38-b939-4e2f-9d19-4a6c2eb22787",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0613#AN1668",
                    "external_id": "AN1668"
                },
                {
                    "source_name": "unit42_strat_aged_domain_det",
                    "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.",
                    "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
                },
                {
                    "source_name": "Data Driven Security DGA",
                    "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
                    "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-21T15:10:28.402Z",
            "name": "Analytic 1668",
            "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_version": "1.0",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "iOS"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
                    "name": "Application Vetting",
                    "channel": "None"
                }
            ],
            "x_mitre_deprecated": false
        }
    ]
}