cti/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json

{
    "type": "bundle",
    "id": "bundle--b8c26e6e-d1e0-4103-9085-ac664ec930d9",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
            "created": "2017-10-25T14:48:29.092Z",
            "x_mitre_version": "1.1",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1403",
                    "url": "https://attack.mitre.org/techniques/T1403"
                },
                {
                    "source_name": "Sabanal-ART",
                    "url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf",
                    "description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016."
                }
            ],
            "x_mitre_deprecated": true,
            "revoked": false,
            "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
            "modified": "2022-04-06T15:46:29.338Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Modify Cached Executable Code",
            "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "persistence"
                }
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}