cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json

{
    "type": "bundle",
    "id": "bundle--4ccbcc03-cd6f-4f9f-9509-0ac44b46efbf",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
            "created": "2022-04-01T19:06:27.177Z",
            "x_mitre_version": "1.0",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1437.001",
                    "url": "https://attack.mitre.org/techniques/T1437/001"
                },
                {
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
                    "source_name": "NIST Mobile Threat Catalogue",
                    "external_id": "APP-29"
                }
            ],
            "x_mitre_deprecated": false,
            "revoked": false,
            "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device).  Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ",
            "modified": "2022-04-06T13:07:45.661Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Web Protocols",
            "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
            "kill_chain_phases": [
                {
                    "phase_name": "command-and-control",
                    "kill_chain_name": "mitre-mobile-attack"
                }
            ],
            "x_mitre_is_subtechnique": true,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}