cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json

{
    "type": "bundle",
    "id": "bundle--9b5ba1f9-1270-4ac9-8daa-1862b7d7053e",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
            "created": "2022-04-11T20:05:56.069Z",
            "x_mitre_version": "1.0",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1628.002",
                    "url": "https://attack.mitre.org/techniques/T1628/002"
                }
            ],
            "x_mitre_deprecated": false,
            "revoked": false,
            "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
            "modified": "2022-04-11T20:05:56.069Z",
            "name": "User Evasion",
            "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
            "kill_chain_phases": [
                {
                    "phase_name": "defense-evasion",
                    "kill_chain_name": "mitre-mobile-attack"
                }
            ],
            "x_mitre_is_subtechnique": true,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}