Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1752: Analytic 1752

Defender correlates a custom keyboard extension activation (optionally with TCC ‘Full Access’) or abnormal UI text-entry interception with local keylog persistence and/or small egress. Chain: capability/consent (keyboard Full Access/TCC) → intercept (keyboard commit events or repeated secure text entry edits) → persist to container → near-term egress.

MobileAN1752AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a mobile privacy and data-loss pattern on iOS: a custom keyboard extension or abnormal text-entry behavior that may capture typed content, store it locally, and send small amounts of data out soon after. For leaders, the value is not in the keyboard event alone, but in validating whether the organization can connect user consent, app behavior, local persistence, and network egress into one defensible mobile security decision.

Executive priority

Prioritize this where iOS devices handle sensitive communications, credentials, regulated data, or executive workflows. Security leaders should ask whether mobile management, privacy permissions, endpoint/mobile telemetry, and network monitoring can provide evidence for keyboard extension use, Full Access/TCC consent, local storage behavior, and near-term egress. This is relevant to incident response readiness, compliance evidence, and mobile data-protection controls because a single permission or app event may not be enough to justify action without correlated evidence.

Technical view

For SOC, detection engineering, and IR teams, treat AN1752 as a correlation analytic rather than a single indicator. Validate collection and correlation across: iOS custom keyboard extension activation, optional TCC/Full Access consent state, abnormal text-entry interception indicators such as keyboard commit events or repeated secure text-entry edits, writes to the app or extension container, and small outbound network activity shortly after local persistence. Because the ATT&CK object provides no separate detection logic and no relationship context, local baselining is required to distinguish legitimate third-party keyboards and normal app behavior from suspicious chained activity.

Likely telemetry

  • iOS device inventory and installed application or extension inventory
  • Custom keyboard extension activation or usage records where available
  • TCC or Full Access consent state for keyboard extensions
  • UI or text-entry related application telemetry, including keyboard commit events where available
  • Indicators of repeated secure text-entry edits or abnormal text-entry handling

Detection direction

  • Build correlation around the supplied chain: capability or consent, text interception behavior, persistence to a local container, and near-term egress.
  • Do not alert solely on the presence of a custom keyboard extension; legitimate keyboards and accessibility-related workflows can create false positives.
  • Tune around timing and sequence: Full Access/TCC consent followed by abnormal text-entry events, local writes, and small outbound traffic is more meaningful than any single event.
  • Validate visibility gaps on iOS, especially whether telemetry exposes keyboard extension activation, TCC/Full Access state, local container writes, and per-app egress with enough fidelity.
  • Document what cannot be observed directly and define IR collection steps for device review when telemetry is incomplete.

Mitigation priorities

  • Inventory and govern approved iOS keyboard extensions and apps that can request broad text-entry capabilities.
  • Use mobile device management or equivalent policy controls to restrict or review unapproved keyboard extensions where business requirements allow.
  • Review permission governance for keyboard Full Access/TCC consent and ensure users understand the data exposure risk of granting broad input access.
  • Prioritize mobile telemetry and network controls that can correlate app permissions, local storage behavior, and egress rather than relying on static app inventory alone.
  • Include this behavior in mobile incident response playbooks, especially for sensitive users or devices handling regulated or high-value information.
Analyst notes and limits

AN1752 is a mobile ATT&CK detection analytic for iOS. The official description is correlation-oriented and centers on custom keyboard extension activation, optional Full Access/TCC consent, abnormal UI text-entry interception, local keylog persistence, and small egress. No tactics, detection implementation text, aliases, labels, or relationship context were supplied, so the defensive value depends heavily on local iOS telemetry and policy context.

The supplied object does not include official detection logic, related techniques, threat groups, software, mitigations, or data-source relationships. This take should not be interpreted as evidence of active exploitation, attribution, or guaranteed detectability. iOS telemetry availability varies significantly by management model, device state, and tooling.

Official MITRE ATT&CK definition

Analytic 1752

Defender correlates a custom keyboard extension activation (optionally with TCC ‘Full Access’) or abnormal UI text-entry interception with local keylog persistence and/or small egress. Chain: capability/consent (keyboard Full Access/TCC) → intercept (keyboard commit events or repeated secure text entry edits) → persist to container → near-term egress.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
ef00072c06f95089...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle ef00072c06f9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1752
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use