cti/mobile-attack/x-mitre-analytic/x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d.json

{
    "type": "bundle",
    "id": "bundle--a6731169-7492-42fa-8237-7f64b1fae970",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1777",
                    "external_id": "AN1777"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-03-04T23:47:29.735Z",
            "name": "Analytic 1777",
            "description": "Defender correlates an application\u2019s location authorization level (When-In-Use vs Always) and entitlement posture with observed location sensor activity that occurs without proximate user interaction, including background updates, followed by periodic outbound network sessions aligned to location update timing\u2014suggesting covert or policy-violating location tracking.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "iOS"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
                    "name": "iOS:unifiedlog",
                    "channel": "Application activates CoreLocation services or CLLocationManager APIs"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "iOS:MDMLog",
                    "channel": "App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "ForegroundLocationExpectation",
                    "description": "Defines legitimate location usage relative to app state"
                },
                {
                    "field": "LocationAccessDurationThreshold",
                    "description": "Baseline deviation tolerance for sustained location tracking"
                },
                {
                    "field": "LocationToTransmissionWindow",
                    "description": "Temporal threshold linking location access to network activity"
                }
            ]
        }
    ]
}