cti
cti copied to clipboard
mitre
several Techniques in other matrices such as MOBILE are missing the 'x_mitre_is_subtechnique' key
Hello CTI team,
I was looking at enhancing a few functions in a library I created named attackcti. I wanted to enable a new parameter/argument that would allow me to retrieve attack-pattern objects and filter them at query time (STIX Filter) with the filter Filter('x_mitre_is_subtechnique', '=', False) or Filter('x_mitre_is_subtechnique', '=', True).
I noticed this piece of code in your USAGE docs: https://github.com/mitre/cti/blob/master/USAGE.md#getting-techniques-or-sub-techniques
I tested it with other matrices besides ENTERPRISE, and it seems that some techniques are missing the x_mitre_is_subtechnique. This is of course not helping the stix filters I showed above. For example, I have a basic function that retrieves all techniques from MOBILE. If I check the keys of each stix object, I can see that several of them do not have it as shown before:
>>> t = lift.get_mobile_techniques()
>>> t = lift.remove_revoked(t)
>>>
>>> for x in t:
... if 'x_mitre_is_subtechnique' not in x.keys():
... print(x['name'], '-', x['id'])
...
Data from Local System - attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a
Data Encrypted - attack-pattern--e3b936a4-6321-4172-9114-038a866362ec
Evade Analysis Environment - attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b
Standard Cryptographic Protocol - attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84
Domain Generation Algorithms - attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de
Capture Camera - attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6
Uncommonly Used Port - attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5
Clipboard Modification - attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb
Network Information Discovery - attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2
Web Service - attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380
Deliver Malicious App via Other Means - attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7
Deliver Malicious App via Authorized App Store - attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a
Exploit via Radio Interfaces - attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5
Install Insecure or Malicious Configuration - attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2
Process Discovery - attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19
System Network Connections Discovery - attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb
Standard Application Layer Protocol - attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673
Obfuscated Files or Information - attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a
Modify OS Kernel or Boot Partition - attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5
Modify System Partition - attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0
Abuse Device Administrator Access to Prevent Removal - attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483
Exploit OS Vulnerability - attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172
Modify Cached Executable Code - attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6
Application Discovery - attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2
Alternate Network Mediums - attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a
Network Service Scanning - attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790
Eavesdrop on Insecure Network Communication - attack-pattern--393e8c12-a416-4575-ba90-19cc85656796
Jamming or Denial of Service - attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d
Manipulate Device Communication - attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63
Lockscreen Bypass - attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd
Exploit via Charging Station or PC - attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d
Exploit TEE Vulnerability - attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884
Rogue Cellular Base Station - attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed
File and Directory Discovery - attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848
Downgrade to Insecure Protocols - attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34
Rogue Wi-Fi Access Points - attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3
Remotely Track Device Without Authorization - attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a
Access Calendar Entries - attack-pattern--62adb627-f647-498e-b4cc-41499361bacb
SIM Card Swap - attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5
Capture Clipboard Data - attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692
Generate Fraudulent Advertising Revenue - attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf
Modify Trusted Execution Environment - attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468
Obtain Device Cloud Backups - attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d
Device Lockout - attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1
Access Sensitive Data in Device Logs - attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3
Commonly Used Port - attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad
Capture SMS Messages - attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060
Access Stored Application Data - attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160
Network Traffic Capture or Redirection - attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9
Download New Code at Runtime - attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6
Disguise Root/Jailbreak Indicators - attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6
Attack PC via USB Connection - attack-pattern--a0464539-e1b7-4455-a355-12495987c300
Exploit Enterprise Resources - attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d
Capture Audio - attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760
Location Tracking - attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4
Access Contact List - attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce
Access Call Log - attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44
Data Encrypted for Impact - attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4
Exploit SS7 to Track Device Location - attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5
Remotely Wipe Data Without Authorization - attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067
Manipulate App Store Rankings or Ratings - attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69
Drive-by Compromise - attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57
Exploit SS7 to Redirect Phone Calls/SMS - attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d
This affects when I try to do something similar to what was done here: https://github.com/mitre/cti/blob/master/USAGE.md#getting-techniques-or-sub-techniques
This is what it looks like:
>>> t = lift.get_mobile_techniques()
>>> len(t)
104
>>> t = lift.remove_revoked(t)
>>> len(t)
87
>>> t = lift.get_mobile_techniques(level='techniques')
>>> len(t)
24
>>> t = lift.remove_revoked(t)
>>> len(t)
24
>>> t = lift.get_mobile_techniques(level='subtechniques')
>>> len(t)
0
>>>
That means that 24 out of the 87 technique objects have the x_mitre_is_subtechnique property/key. The others do not. I do not know if it is supposed to be like that by design. For example, we have one technique in ENTERPRISE and MOBILE but only one has the x_mitre_is_subtechnique key
ENTERPRISE: https://github.com/mitre/cti/blob/master/enterprise-attack/attack-pattern/attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5.json
MOBILE: https://github.com/mitre/cti/blob/253622f36393e4aa012725f0ce428dcd275f5d20/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json
Thank you in advance!
Roberto Rodriguez
Hi @Cyb3rWard0g,
Mobile and ICS ATT&CK don't include sub-techniques at all, so the x_mitre_is_subtechnique field isn't currently part of their data model. As noted in the USAGE document, that's an enterprise-only field. If/when sub-techniques are added to those domains x_mitre_is_subtechnique will be added as well.
In the case of Data from Local System, the enterprise and mobile instances are actually different techniques. They share a name, but their STIX IDs and ATT&CK IDs, description, etc are different. They also follow the data model for Enterprise and Mobile respectively, e.g the mobile instance includes x_mitre_tactic_type (an mobile-only field) and the enterprise instance includes x_mitre_system_requirements (an enterprise-only field).
For techniques, "cross-domain" objects like Data from Local System aren't truly cross domain. The instances are simply duplicated due to data model and scope differences. However, other types of objects such as groups don't have the same design, for instance Dark Caracal is the same object (same STIX ID and ATT&CK ID) for both domains [1, 2]. Another way to look at it is that there are two pages for Data from Local System on attack.mitre.org [1, 2], but only 1 for Dark Caracal [1].
All that is to say, since Mobile and ICS don't have sub-techniques, you shouldn't need to filter based on the presence of an x_mitre_is_subtechnique field. If/when those domains get sub-techniques we'll certainly make plenty of noise to alert the community beforehand, similar to our (Enterprise) sub-techniques beta this past April.
Anyway, with regards to the mobile techniques which do have the x_mitre_is_subtechnique property... my guess is they're techniques which were created after we changed the enterprise data model? I'll look more into this later, that field shouldn't be there according to my understanding of our internal infrastructure.
Techniques with x_mitre_is_subtechnique
| name | created | modified | STIX ID |
|---|---|---|---|
| SMS Control | 2020-09-11 15:14:33.730000+00:00 | 2020-10-22 17:04:15.578000+00:00 | attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b |
| Geofencing | 2020-09-11 15:04:14.532000+00:00 | 2020-10-01 12:43:41.494000+00:00 | attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31 |
| Keychain | 2020-06-24 17:33:49.778000+00:00 | 2020-06-24 19:02:46.237000+00:00 | attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38 |
| Compromise Application Executable | 2020-05-07 15:24:49.068000+00:00 | 2020-05-27 13:23:34.159000+00:00 | attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c |
| Uninstall Malicious Application | 2020-05-04 13:49:34.706000+00:00 | 2020-05-26 18:05:37.393000+00:00 | attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5 |
| Native Code | 2020-04-28 14:35:37.309000+00:00 | 2020-04-28 18:34:15.373000+00:00 | attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb |
| Remote File Copy | 2020-01-21 15:27:30.182000+00:00 | 2020-01-21 15:27:30.182000+00:00 | attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8 |
| Foreground Persistence | 2019-11-19 17:32:20.373000+00:00 | 2019-12-26 16:14:33.302000+00:00 | attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e |
| Code Injection | 2019-10-30 15:37:55.029000+00:00 | 2020-03-29 04:07:06.663000+00:00 | attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa |
| Input Injection | 2019-09-15 15:26:22.356000+00:00 | 2020-06-24 15:02:13.323000+00:00 | attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62 |
| Access Notifications | 2019-09-15 15:26:08.183000+00:00 | 2020-07-09 14:07:02.217000+00:00 | attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2 |
| Screen Capture | 2019-08-08 18:34:14.178000+00:00 | 2020-06-24 15:03:25.857000+00:00 | attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e |
| Suppress Application Icon | 2019-07-11 18:09:42.039000+00:00 | 2019-11-14 18:03:26.460000+00:00 | attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2 |
| Supply Chain Compromise | 2018-10-17 00:14:20.652000+00:00 | 2020-10-19 18:06:09.010000+00:00 | attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad |
| Masquerade as Legitimate Application | 2017-10-25 14:48:35.247000+00:00 | 2020-04-08 15:19:56.147000+00:00 | attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f |
| Input Prompt | 2017-10-25 14:48:34.407000+00:00 | 2020-06-24 15:04:20.321000+00:00 | attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2 |
| System Network Configuration Discovery | 2017-10-25 14:48:32.740000+00:00 | 2020-06-02 14:35:01.479000+00:00 | attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd |
| URI Hijacking | 2017-10-25 14:48:32.008000+00:00 | 2020-10-01 12:42:21.628000+00:00 | attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58 |
| Delete Device Data | 2017-10-25 14:48:31.694000+00:00 | 2020-10-01 12:52:58.150000+00:00 | attack-pattern--8e27551a-5080-4148-a584-c64348212e4f |
| Broadcast Receivers | 2017-10-25 14:48:30.127000+00:00 | 2020-03-27 15:28:03.858000+00:00 | attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69 |
| Input Capture | 2017-10-25 14:48:27.660000+00:00 | 2020-06-24 15:09:12.483000+00:00 | attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad |
| System Information Discovery | 2017-10-25 14:48:19.265000+00:00 | 2019-11-20 19:56:49.109000+00:00 | attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77 |
| Carrier Billing Fraud | 2017-10-25 14:48:09.082000+00:00 | 2020-05-04 15:40:20.943000+00:00 | attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274 |
| Abuse Accessibility Features | 2017-10-25 14:48:08.613000+00:00 | 2020-03-30 14:03:43.761000+00:00 | attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a |
These techniques were likely all modified after we implemented the sub-techniques data model internally (I'd have to dig up the exact date for the deployment, but it looks about right).
Techniques without x_mitre_is_subtechnique
| name | created | modified | STIX ID |
|---|---|---|---|
| Data from Local System | 2019-10-10 15:12:42.790000+00:00 | 2019-10-11 14:53:38.987000+00:00 | attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a |
| Data Encrypted | 2019-10-10 15:00:44.181000+00:00 | 2019-10-10 15:00:44.181000+00:00 | attack-pattern--e3b936a4-6321-4172-9114-038a866362ec |
| Evade Analysis Environment | 2019-10-02 14:46:43.632000+00:00 | 2019-10-11 14:48:50.525000+00:00 | attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b |
| Standard Cryptographic Protocol | 2019-10-01 14:18:47.762000+00:00 | 2019-10-01 14:18:47.762000+00:00 | attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84 |
| Domain Generation Algorithms | 2019-09-23 13:11:43.694000+00:00 | 2019-09-23 14:53:42.654000+00:00 | attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de |
| Capture Camera | 2019-08-09 16:14:58.254000+00:00 | 2019-09-12 18:33:15.023000+00:00 | attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6 |
| Uncommonly Used Port | 2019-08-01 13:44:09.368000+00:00 | 2019-09-11 13:27:50.344000+00:00 | attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5 |
| Clipboard Modification | 2019-07-26 14:15:31.451000+00:00 | 2019-10-28 18:36:26.261000+00:00 | attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb |
| Network Information Discovery | 2019-07-10 15:18:16.753000+00:00 | 2019-07-10 15:18:16.753000+00:00 | attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2 |
| Web Service | 2019-02-01 17:29:43.503000+00:00 | 2019-02-01 17:29:43.503000+00:00 | attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380 |
| Deliver Malicious App via Other Means | 2018-10-17 00:14:20.652000+00:00 | 2019-10-28 18:33:12.646000+00:00 | attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7 |
| Deliver Malicious App via Authorized App Store | 2018-10-17 00:14:20.652000+00:00 | 2019-10-14 17:42:49.817000+00:00 | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a |
| Exploit via Radio Interfaces | 2018-10-17 00:14:20.652000+00:00 | 2019-02-03 15:19:22.439000+00:00 | attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5 |
| Install Insecure or Malicious Configuration | 2018-10-17 00:14:20.652000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2 |
| Remotely Install Application | 2017-10-25 14:48:34.830000+00:00 | 2018-10-17 01:05:10.701000+00:00 | attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16 |
| Process Discovery | 2017-10-25 14:48:33.926000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19 |
| System Network Connections Discovery | 2017-10-25 14:48:33.574000+00:00 | 2019-02-01 19:34:17.460000+00:00 | attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb |
| Standard Application Layer Protocol | 2017-10-25 14:48:33.158000+00:00 | 2019-02-03 14:52:45.266000+00:00 | attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673 |
| Obfuscated Files or Information | 2017-10-25 14:48:32.328000+00:00 | 2019-09-23 13:26:01.263000+00:00 | attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a |
| Modify OS Kernel or Boot Partition | 2017-10-25 14:48:31.294000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5 |
| Modify System Partition | 2017-10-25 14:48:30.890000+00:00 | 2019-09-04 13:35:57.549000+00:00 | attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0 |
| Insecure Third-Party Libraries | 2017-10-25 14:48:30.462000+00:00 | 2018-10-17 01:05:10.699000+00:00 | attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799 |
| Abuse Device Administrator Access to Prevent Removal | 2017-10-25 14:48:29.774000+00:00 | 2019-02-03 16:56:41.200000+00:00 | attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483 |
| Exploit OS Vulnerability | 2017-10-25 14:48:29.405000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172 |
| Modify Cached Executable Code | 2017-10-25 14:48:29.092000+00:00 | 2019-10-09 19:39:32.872000+00:00 | attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6 |
| Fake Developer Accounts | 2017-10-25 14:48:28.786000+00:00 | 2018-10-17 01:05:10.701000+00:00 | attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9 |
| Device Type Discovery | 2017-10-25 14:48:28.456000+00:00 | 2019-10-16 13:24:48.936000+00:00 | attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05 |
| Application Discovery | 2017-10-25 14:48:28.067000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2 |
| Alternate Network Mediums | 2017-10-25 14:48:27.307000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a |
| Network Service Scanning | 2017-10-25 14:48:26.890000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790 |
| Detect App Analysis Environment | 2017-10-25 14:48:26.473000+00:00 | 2018-10-17 01:05:10.700000+00:00 | attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b |
| Eavesdrop on Insecure Network Communication | 2017-10-25 14:48:26.104000+00:00 | 2019-02-03 14:54:29.631000+00:00 | attack-pattern--393e8c12-a416-4575-ba90-19cc85656796 |
| Jamming or Denial of Service | 2017-10-25 14:48:25.740000+00:00 | 2019-02-03 14:15:21.946000+00:00 | attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d |
| Manipulate Device Communication | 2017-10-25 14:48:25.322000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63 |
| Malicious Software Development Tools | 2017-10-25 14:48:24.905000+00:00 | 2018-10-17 01:05:10.704000+00:00 | attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc |
| Lockscreen Bypass | 2017-10-25 14:48:24.488000+00:00 | 2019-02-03 17:08:07.111000+00:00 | attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd |
| Biometric Spoofing | 2017-10-25 14:48:24.069000+00:00 | 2018-10-17 01:05:10.703000+00:00 | attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09 |
| Device Unlock Code Guessing or Brute Force | 2017-10-25 14:48:23.652000+00:00 | 2018-10-17 01:05:10.703000+00:00 | attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a |
| Exploit via Charging Station or PC | 2017-10-25 14:48:23.233000+00:00 | 2019-02-03 15:10:41.460000+00:00 | attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d |
| Exploit TEE Vulnerability | 2017-10-25 14:48:22.716000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884 |
| Rogue Cellular Base Station | 2017-10-25 14:48:22.296000+00:00 | 2019-02-03 15:17:11.346000+00:00 | attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed |
| File and Directory Discovery | 2017-10-25 14:48:21.965000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848 |
| Downgrade to Insecure Protocols | 2017-10-25 14:48:21.667000+00:00 | 2019-02-03 15:16:13.386000+00:00 | attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34 |
| Rogue Wi-Fi Access Points | 2017-10-25 14:48:21.354000+00:00 | 2019-02-03 15:15:18.023000+00:00 | attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3 |
| Remotely Track Device Without Authorization | 2017-10-25 14:48:21.023000+00:00 | 2019-02-03 14:16:59.424000+00:00 | attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a |
| Access Calendar Entries | 2017-10-25 14:48:20.727000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--62adb627-f647-498e-b4cc-41499361bacb |
| SIM Card Swap | 2017-10-25 14:48:20.329000+00:00 | 2019-02-03 14:13:24.168000+00:00 | attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5 |
| Capture Clipboard Data | 2017-10-25 14:48:19.996000+00:00 | 2019-09-13 20:46:26.223000+00:00 | attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692 |
| Malicious Media Content | 2017-10-25 14:48:19.682000+00:00 | 2018-10-17 01:05:10.703000+00:00 | attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431 |
| Generate Fraudulent Advertising Revenue | 2017-10-25 14:48:18.937000+00:00 | 2019-07-03 20:21:22.168000+00:00 | attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf |
| Modify Trusted Execution Environment | 2017-10-25 14:48:18.583000+00:00 | 2019-02-03 14:23:10.576000+00:00 | attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468 |
| Obtain Device Cloud Backups | 2017-10-25 14:48:18.237000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d |
| Device Lockout | 2017-10-25 14:48:17.886000+00:00 | 2019-10-09 14:39:38.930000+00:00 | attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1 |
| URL Scheme Hijacking | 2017-10-25 14:48:17.533000+00:00 | 2020-10-23 15:05:40.674000+00:00 | attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e |
| Access Sensitive Data in Device Logs | 2017-10-25 14:48:17.176000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3 |
| Commonly Used Port | 2017-10-25 14:48:16.650000+00:00 | 2019-06-19 19:25:33.180000+00:00 | attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad |
| Abuse of iOS Enterprise App Signing Key | 2017-10-25 14:48:16.288000+00:00 | 2018-10-17 01:05:10.701000+00:00 | attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac |
| Capture SMS Messages | 2017-10-25 14:48:15.920000+00:00 | 2019-09-18 18:28:50.898000+00:00 | attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060 |
| Access Stored Application Data | 2017-10-25 14:48:15.402000+00:00 | 2019-10-10 14:17:48.920000+00:00 | attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160 |
| Network Traffic Capture or Redirection | 2017-10-25 14:48:14.982000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9 |
| Download New Code at Runtime | 2017-10-25 14:48:14.460000+00:00 | 2019-10-09 19:40:52.090000+00:00 | attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6 |
| Disguise Root/Jailbreak Indicators | 2017-10-25 14:48:14.003000+00:00 | 2019-02-03 14:34:59.071000+00:00 | attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6 |
| Attack PC via USB Connection | 2017-10-25 14:48:13.625000+00:00 | 2019-02-03 14:51:19.932000+00:00 | attack-pattern--a0464539-e1b7-4455-a355-12495987c300 |
| Exploit Enterprise Resources | 2017-10-25 14:48:13.259000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d |
| Capture Audio | 2017-10-25 14:48:12.913000+00:00 | 2019-09-20 17:59:11.041000+00:00 | attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760 |
| Location Tracking | 2017-10-25 14:48:12.267000+00:00 | 2019-10-15 20:01:06.186000+00:00 | attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4 |
| App Delivered via Web Download | 2017-10-25 14:48:11.861000+00:00 | 2018-10-17 01:05:10.699000+00:00 | attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2 |
| Access Contact List | 2017-10-25 14:48:11.535000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce |
| Access Call Log | 2017-10-25 14:48:11.116000+00:00 | 2019-09-18 18:17:43.466000+00:00 | attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44 |
| App Delivered via Email Attachment | 2017-10-25 14:48:10.699000+00:00 | 2018-10-17 01:05:10.699000+00:00 | attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2 |
| Data Encrypted for Impact | 2017-10-25 14:48:10.285000+00:00 | 2019-10-01 13:51:22.001000+00:00 | attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4 |
| Exploit SS7 to Track Device Location | 2017-10-25 14:48:09.864000+00:00 | 2019-02-03 15:06:10.014000+00:00 | attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5 |
| Malicious or Vulnerable Built-in Device Functionality | 2017-10-25 14:48:09.446000+00:00 | 2018-10-17 01:05:10.704000+00:00 | attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df |
| Malicious SMS Message | 2017-10-25 14:48:08.155000+00:00 | 2019-04-29 19:35:30.985000+00:00 | attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d |
| Remotely Wipe Data Without Authorization | 2017-10-25 14:48:07.827000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067 |
| Manipulate App Store Rankings or Ratings | 2017-10-25 14:48:07.460000+00:00 | 2019-07-03 20:25:59.845000+00:00 | attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69 |
| Exploit Baseband Vulnerability | 2017-10-25 14:48:07.149000+00:00 | 2018-10-17 01:05:10.702000+00:00 | attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f |
| Drive-by Compromise | 2017-10-25 14:48:06.822000+00:00 | 2018-10-17 00:14:20.652000+00:00 | attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57 |
| Exploit SS7 to Redirect Phone Calls/SMS | 2017-10-25 14:48:06.524000+00:00 | 2019-02-03 16:28:52.821000+00:00 | attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d |
| Stolen Developer Credentials or Signing Keys | 2017-10-25 14:48:05.928000+00:00 | 2018-10-17 01:05:10.700000+00:00 | attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881 |
These were all modified most recently in 2019, likely before we implemented the data model change. So my suspicion is that saving a technique in our internal editor will cause mobile techniques to gain the x_mitre_is_subtechnique field even though it isn't technically part of their data model. ICS doesn't use the same editing application so it isn't vulnerable to the same bug.
Thank you so much for all the details! It also helps me to improve my troubleshooting skills 😉