AN1763: Analytic 1763

Indirect evidence of asymmetric cryptographic channel usage inferred through key exchange-like network patterns and application background execution behavior, where direct observation of keypair operations is limited. Detection correlates app entitlement posture + background execution + asymmetric handshake patterns + subsequent encrypted communication.

MobileAN1763AnalyticObject v1.1 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

AN1763 is a mobile detection analytic for iOS that looks for indirect signs of asymmetric cryptographic channel use when direct visibility into keypair operations is limited. Its business value is in validating whether mobile monitoring can correlate app permissions, background activity, network handshake-like behavior, and later encrypted communications—evidence that may matter during mobile incident response or high-risk app review.

Executive priority

Prioritize this analytic as a coverage-validation question for iOS environments where mobile applications, managed devices, or sensitive business workflows are in scope. Leaders should ask whether teams can produce defensible evidence of suspicious encrypted channel establishment from mobile devices, especially when cryptographic operations are not directly observable. This supports incident decision-making, mobile security assurance, and compliance evidence around monitoring capability, but the supplied ATT&CK object does not establish active exploitation or specific threat actor use.

Technical view

For SOC, detection engineering, and IR teams, the key validation point is correlation rather than a single event. The analytic describes combining app entitlement posture, background execution behavior, asymmetric key-exchange-like network patterns, and subsequent encrypted communication on iOS. Teams should test whether telemetry can link these observations to the same app, device, user, and time window. Because official detection logic is not provided, local implementation must define what constitutes key-exchange-like network behavior, what background activity is expected, and which app entitlements materially change risk.

Likely telemetry

iOS application entitlement and permission posture
Mobile device and application inventory context
Application background execution or background activity evidence
Network connection metadata from iOS devices
TLS/encrypted session metadata where available

Detection direction

Validate that iOS telemetry can correlate app entitlement posture, background execution, network handshake-like patterns, and subsequent encrypted communication in a common timeline.
Tune for expected behavior from legitimate apps that use background services and encrypted communications to reduce false positives.
Identify blind spots where mobile device management, endpoint telemetry, or network monitoring cannot attribute traffic to a specific iOS app.
Because MITRE provides no official detection logic for this analytic, document local assumptions, thresholds, and evidence requirements.
Use this analytic primarily as a detection engineering and IR-readiness test rather than as proof of malicious activity by itself.

Mitigation priorities

Start by confirming managed iOS visibility: device inventory, app inventory, entitlement posture, and network metadata collection.
Restrict or review high-risk app permissions and background execution where business requirements do not justify them.
Establish mobile incident response playbooks that preserve app, device, user, and network evidence for correlation.
Use security consulting or compliance readiness reviews to document whether mobile encrypted-channel monitoring is adequate for regulated or sensitive workflows.
Reassess coverage after iOS, MDM, app, or network monitoring changes because visibility may shift over time.

Analyst notes and limits

This is a detection analytic in the mobile ATT&CK domain for iOS. Its practical value comes from correlating weak signals when direct cryptographic operation visibility is limited. There are no supplied tactics, relationships, aliases, or official detection details, so the take focuses on coverage validation, telemetry readiness, and conservative defensive use.

The supplied object does not include detection logic, data source mappings, related techniques, threat relationships, mitigations, or examples. It supports only an iOS-focused interpretation of indirect detection of asymmetric cryptographic channel usage. Local environment telemetry is required to determine feasibility, fidelity, and operational value.

Official MITRE ATT&CK definition

Analytic 1763

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: 6f5522e3c0842a31...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`6f5522e3c084…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1763
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use