Defender correlates an app enumerating installed packages (PackageManager queries or shell 'pm list packages') with selective checks for high-value targets (banking/identity/security apps) and near-term persistence/egress of the inventory. Chain: capability to query apps → burst of enumeration calls or shell listing → optional foreground target detection → local inventory file → small POST to remote endpoint.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for |
| Command Execution (DC0064) | android:logcat | Command 'pm list packages' executed by app sandbox or child proc |
| File Creation (DC0039) | android:logcat | CREATE/WRITE /data/data/ |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from enumeration to persist/exfil (e.g., 10–120s). |
| MinEnumCount | Minimum count of package queries or listed rows to treat as inventory (e.g., ≥50). |
| TargetAppWatchlist | List of sensitive app package prefixes (banking/IdP/AV/MDM) to raise severity. |
| PersistPathRegex | Regex for inventory artifacts in the app container. |
| ExfilDomainAllowlist | Known-good analytics/CDN endpoints to suppress FPs. |
| UserContext | Work Profile/Kiosk/Jamf/Intune policy context to scope benign inventory jobs. |
Defender correlates attempts to inventory installed apps via LaunchServices/URL-scheme probing or private APIs (e.g., LSApplicationWorkspace) with checks for high-value targets and quick persistence/egress. Chain: capability/attempt (URL scheme spray or LSWorkspace calls) → large scheme/app probe set → optional webview hits to brand domains → local inventory cache → small egress.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | iOS:unifiedlog | LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes |
| Application Log Content (DC0038) | iOS:unifiedlog | Repeated canOpenURL checks across diverse schemes (≥N within short window) |
| File Creation (DC0039) | iOS:unifiedlog | CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\.(json|plist|db) |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from probe burst to persist/exfil (e.g., 10–120s). |
| MinProbeCount | Minimum count of scheme/app probes to treat as inventory (e.g., ≥40). |
| TargetBundleWatchlist | Bundle IDs/schemes of sensitive targets (banking/IdP/AV/MDM). |
| PersistPathRegex | Regex for inventory artifacts in container. |
| ExfilDomainAllowlist | Allowlist of enterprise analytics/CDN to reduce FPs. |
| JailbreakContext | Flag to escalate if private APIs appear on non-managed devices. |