adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix typos in enterprise/pre to match website update

Browse Source
This commit is contained in:
Jennifer Burns
2019-02-23 08:25:17 -05:00
parent e0c30634d9
commit ca5e237c32
9 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
enterprise-attack/attack-pattern/attack-pattern--06780952-177c-4247-b978-79c357fb311f.json
+2 -2
View File
@@ -7,7 +7,7 @@
"id": "attack-pattern--06780952-177c-4247-b978-79c357fb311f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Plist Modification",
"description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UT-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)",
"description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)",
"external_references": [
{
"external_id": "T1150",
@@ -57,7 +57,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-31T13:45:13.024Z",
"modified": "2019-02-19T16:27:45.214Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
enterprise-attack/attack-pattern/attack-pattern--5ad95aaa-49c1-4784-821d-2e83f47b079b.json
+2 -2
View File
@@ -7,7 +7,7 @@
"id": "attack-pattern--5ad95aaa-49c1-4784-821d-2e83f47b079b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "AppleScript",
"description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command lie via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>.",
"description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>.",
"external_references": [
{
"external_id": "T1155",
@@ -49,7 +49,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-31T13:45:13.024Z",
"modified": "2019-02-11T15:34:01.392Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
enterprise-attack/attack-pattern/attack-pattern--a6525aec-acc4-47fe-92f9-b9b4de4b9228.json
+2 -2
View File
@@ -30,7 +30,7 @@
"Process command-line parameters",
"Binary file metadata"
],
"x_mitre_detection": "Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions. \n\nUnknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of [[Legitimate Credentials]] to access remote systems within the network.",
"x_mitre_detection": "Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions. \n\nUnknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of Legitimate Credentials to access remote systems within the network.",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -49,7 +49,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T16:10:24.163Z",
"created": "2017-05-31T21:30:50.342Z"
}
]
enterprise-attack/attack-pattern/attack-pattern--bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2.json
+2 -2
View File
@@ -51,7 +51,7 @@
"Windows"
],
"x_mitre_system_requirements": [
"[[Software/S0108|netsh]]"
"[netsh](https://attack.mitre.org/software/S0108)"
],
"type": "attack-pattern",
"kill_chain_phases": [
@@ -60,7 +60,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T16:21:49.984Z",
"created": "2017-05-31T21:31:40.168Z"
}
]
enterprise-attack/attack-pattern/attack-pattern--f2d44246-91f1-478a-b6c8-1227e0ca109d.json
+2 -2
View File
@@ -66,7 +66,7 @@
"x_mitre_version": "1.0",
"x_mitre_contributors": [
"Red Canary",
"Oddvar Moe"
"Oddvar Moe, @oddvarmoe"
],
"x_mitre_data_sources": [
"File monitoring",
@@ -93,7 +93,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-20T14:17:30.847Z",
"created": "2017-05-31T21:31:11.147Z"
}
]
enterprise-attack/enterprise-attack.json
+10 -10
View File
@@ -459,7 +459,7 @@
"id": "attack-pattern--5ad95aaa-49c1-4784-821d-2e83f47b079b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "AppleScript",
"description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command lie via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>.",
"description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>.",
"external_references": [
{
"external_id": "T1155",
@@ -501,7 +501,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-31T13:45:13.024Z",
"modified": "2019-02-11T15:34:01.392Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
@@ -4895,7 +4895,7 @@
"Process command-line parameters",
"Binary file metadata"
],
"x_mitre_detection": "Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions. \n\nUnknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of [[Legitimate Credentials]] to access remote systems within the network.",
"x_mitre_detection": "Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions. \n\nUnknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of Legitimate Credentials to access remote systems within the network.",
"x_mitre_platforms": [
"Linux",
"macOS",
@@ -4914,7 +4914,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T16:10:24.163Z",
"created": "2017-05-31T21:30:50.342Z"
},
{
@@ -7408,7 +7408,7 @@
"x_mitre_version": "1.0",
"x_mitre_contributors": [
"Red Canary",
"Oddvar Moe"
"Oddvar Moe, @oddvarmoe"
],
"x_mitre_data_sources": [
"File monitoring",
@@ -7435,7 +7435,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-20T14:17:30.847Z",
"created": "2017-05-31T21:31:11.147Z"
},
{
@@ -7486,7 +7486,7 @@
"Windows"
],
"x_mitre_system_requirements": [
"[[Software/S0108|netsh]]"
"[netsh](https://attack.mitre.org/software/S0108)"
],
"type": "attack-pattern",
"kill_chain_phases": [
@@ -7495,7 +7495,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T16:21:49.984Z",
"created": "2017-05-31T21:31:40.168Z"
},
{
@@ -8356,7 +8356,7 @@
"id": "attack-pattern--06780952-177c-4247-b978-79c357fb311f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Plist Modification",
"description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UT-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)",
"description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)",
"external_references": [
{
"external_id": "T1150",
@@ -8406,7 +8406,7 @@
"kill_chain_name": "mitre-attack"
}
],
"modified": "2018-10-31T13:45:13.024Z",
"modified": "2019-02-19T16:27:45.214Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
pre-attack/attack-pattern/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json
+2 -2
View File
@@ -7,7 +7,7 @@
"id": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Acquire or compromise 3rd party signing certificates",
"description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)",
"description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)",
"external_references": [
{
"external_id": "T1332",
@@ -35,7 +35,7 @@
"kill_chain_name": "mitre-pre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T18:56:56.071Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
pre-attack/attack-pattern/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json
+2 -2
View File
@@ -7,7 +7,7 @@
"id": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Acquire or compromise 3rd party signing certificates",
"description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)",
"description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)",
"external_references": [
{
"external_id": "T1310",
@@ -35,7 +35,7 @@
"kill_chain_name": "mitre-pre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T18:54:54.471Z",
"created": "2017-12-14T16:46:06.044Z"
}
]
pre-attack/pre-attack.json
+4 -4
View File
@@ -264,7 +264,7 @@
"id": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Acquire or compromise 3rd party signing certificates",
"description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)",
"description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)",
"external_references": [
{
"external_id": "T1310",
@@ -292,14 +292,14 @@
"kill_chain_name": "mitre-pre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T18:54:54.471Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Acquire or compromise 3rd party signing certificates",
"description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)",
"description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)",
"external_references": [
{
"external_id": "T1332",
@@ -327,7 +327,7 @@
"kill_chain_name": "mitre-pre-attack"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"modified": "2019-02-19T18:56:56.071Z",
"created": "2017-12-14T16:46:06.044Z"
},
{