cti/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json

{
    "type": "bundle",
    "id": "bundle--871fb028-41ef-4da6-87cc-56196564861a",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
            "created": "2017-10-25T14:48:18.583Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1399",
                    "external_id": "T1399"
                },
                {
                    "source_name": "Apple-iOSSecurityGuide",
                    "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
                    "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"
                },
                {
                    "source_name": "Roth-Rootkits",
                    "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016.",
                    "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf"
                },
                {
                    "source_name": "NIST Mobile Threat Catalogue",
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
                    "external_id": "APP-27"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:49:35.592Z",
            "name": "Modify Trusted Execution Environment",
            "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "defense-evasion"
                },
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "persistence"
                }
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_deprecated": true,
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_version": "1.1",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ]
        }
    ]
}