Charissa Miller
59 lines
3.9 KiB
JSON
59 lines
3.9 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--50f238ba-0c45-42b7-bc81-90310b4c799a",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"x_mitre_platforms": [
|
|
"Android",
|
|
"iOS"
|
|
],
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"created": "2017-10-25T14:48:14.460Z",
|
|
"x_mitre_version": "1.3",
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"external_id": "T1407",
|
|
"url": "https://attack.mitre.org/techniques/T1407"
|
|
},
|
|
{
|
|
"source_name": "FireEye-JSPatch",
|
|
"url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html",
|
|
"description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016."
|
|
},
|
|
{
|
|
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
|
|
"source_name": "NIST Mobile Threat Catalogue",
|
|
"external_id": "APP-20"
|
|
}
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"revoked": false,
|
|
"description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
|
|
"modified": "2022-04-06T12:26:31.735Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"name": "Download New Code at Runtime",
|
|
"x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-mobile-attack",
|
|
"phase_name": "defense-evasion"
|
|
}
|
|
],
|
|
"x_mitre_is_subtechnique": false,
|
|
"x_mitre_tactic_type": [
|
|
"Post-Adversary Device Access"
|
|
],
|
|
"x_mitre_attack_spec_version": "2.1.0",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
|
|
}
|
|
]
|
|
} |