{
  "type": "x-mitre-analytic",
  "spec_version": "2.1",
  "id": "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5",
  "created": "2025-10-21T15:10:28.402Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "revoked": false,
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1773",
      "external_id": "AN1773"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2026-05-12T16:30:18.377Z",
  "name": "Analytic 1773",
  "description": "A defender observes an application with declared microphone capability initiating microphone resource use through iOS audio frameworks, potentially during background execution or shortly after a silent wake event, followed by sustained audio capture and outbound encrypted traffic suggesting audio streaming or upload activity.",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_deprecated": false,
  "x_mitre_version": "1.1",
  "x_mitre_attack_spec_version": "3.3.0",
  "x_mitre_domains": [
    "mobile-attack"
  ],
  "x_mitre_platforms": [
    "iOS"
  ],
  "x_mitre_log_source_references": [
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
      "name": "MobileEDR:telemetry",
      "channel": "Microphone sensor activation or audio recording session initiated by application process"
    },
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
      "name": "iOS:unifiedlog",
      "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls"
    },
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
      "name": "MobileEDR:telemetry",
      "channel": "Application writes audio buffer or recorded audio file into application storage directories"
    },
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
      "name": "MobileEDR:telemetry",
      "channel": "Application transitions to background or executes while screen locked during microphone session"
    },
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
      "name": "iOS:MDMLog",
      "channel": "Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability"
    }
  ],
  "x_mitre_mutable_elements": [
    {
      "field": "ExpectedAudioAppsBaseline",
      "description": "Allow-list of legitimate applications expected to record audio on the device."
    },
    {
      "field": "BackgroundWakeCorrelationWindow",
      "description": "Time window correlating background wake events with microphone activation."
    },
    {
      "field": "MicSessionDurationThreshold",
      "description": "Minimum microphone recording duration considered suspicious."
    },
    {
      "field": "MicToNetworkCorrelationWindow",
      "description": "Time window linking microphone activation to outbound network activity."
    },
    {
      "field": "UplinkBytesThreshold",
      "description": "Threshold for outbound traffic volume indicating possible audio upload."
    }
  ]
}