adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
cti/mobile-attack/x-mitre-analytic/x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614.json
T
adpare 316dc61f93 ATT&CK v19.0 Mobile
2026-04-27 15:19:48 -04:00

75 lines
4.1 KiB
JSON
Raw Permalink Blame History

{
"type": "bundle",
"id": "bundle--bb7a6e15-1541-4b80-9824-4e30c692a6cd",
"spec_version": "2.0",
"objects": [
{
"type": "x-mitre-analytic",
"id": "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614",
"created": "2025-10-21T15:10:28.402Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1830",
"external_id": "AN1830"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2026-04-09T17:09:39.997Z",
"name": "Analytic 1830",
"description": "The defender correlates creation of background scheduler activity with later execution of repeating or deferred work by the same managed app, then raises confidence when the triggered activity produces network, local-write, or other app behavior that occurs outside expected user context. Because iOS exposes weaker direct scheduling observability in many enterprise environments, the analytic anchors first on managed app posture and lifecycle-to-network or lifecycle-to-file effects, with NSBackgroundActivityScheduler-related behavior treated as strongest when runtime telemetry can observe background scheduler usage or execution callbacks.",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_version": "1.1",
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_platforms": [
"iOS"
],
"x_mitre_log_source_references": [
{
"x_mitre_data_component_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
"name": "MobiledEDR:telemetry",
"channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger"
},
{
"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"name": "MobileEDR:telemetry",
"channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases"
}
],
"x_mitre_mutable_elements": [
{
"field": "TimeWindow",
"description": "Correlation window between scheduler creation, later execution, and follow-on file or network behavior"
},
{
"field": "AllowedAppList",
"description": "Managed apps legitimately expected to perform background maintenance or deferred sync behavior"
},
{
"field": "AllowedExecutionIntervals",
"description": "Expected repeating interval or defer window for legitimate background activity"
},
{
"field": "ForegroundStateRequired",
"description": "Whether follow-on behavior from background scheduler execution should require recent user interaction"
},
{
"field": "TriggerToNetworkWindow",
"description": "Maximum expected delay between scheduled execution and outbound communication"
},
{
"field": "UplinkBytesThreshold",
"description": "Minimum outbound volume after scheduled execution to treat network behavior as meaningful"
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink