cti/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json

{
    "type": "bundle",
    "id": "bundle--71a970e3-09f0-469c-8466-36d076999670",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
            "created": "2022-03-30T17:53:35.582Z",
            "x_mitre_version": "1.0",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1633.001",
                    "url": "https://attack.mitre.org/techniques/T1633/001"
                }
            ],
            "x_mitre_deprecated": false,
            "revoked": false,
            "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ",
            "modified": "2022-04-21T17:34:12.113Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "System Checks",
            "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
            "kill_chain_phases": [
                {
                    "phase_name": "defense-evasion",
                    "kill_chain_name": "mitre-mobile-attack"
                }
            ],
            "x_mitre_is_subtechnique": true,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}