adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

content regeneration for apr-2018 update

Browse Source
This commit is contained in:
John Wunder
2018-04-13 13:37:01 -04:00
parent cd175b6841
commit ced1c19fa3
4120 changed files with 136609 additions and 99817 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pre-attack/attack-pattern/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json
+17 -17
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--acb66c8f-5e04-4927-a62d-b1e3020f637c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire OSINT data sets and information",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.",
"kill_chain_phases": [
{
@@ -19,30 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1054"
},
{
"source_name": "SANSThreatProfile",
"description": "Stephen Irwin. (2014, September 8). Creating a Threat Profile for Your Organization. Retrieved March 5, 2017."
"description": "Stephen Irwin. (2014, September 8). Creating a Threat Profile for Your Organization. Retrieved March 5, 2017.",
"source_name": "SANSThreatProfile"
},
{
"source_name": "Infosec-osint",
"description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017."
"description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017.",
"source_name": "Infosec-osint"
},
{
"source_name": "isight-osint",
"description": "Dawn Lomer. (2017). 101+ OSINT Resources for Investigators. Retrieved May 9, 2017."
"description": "Dawn Lomer. (2017). 101+ OSINT Resources for Investigators. Retrieved May 9, 2017.",
"source_name": "isight-osint"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it."
"x_mitre_difficulty_for_adversary_explanation": "Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--f05dba69-834b-478c-90c5-bdfbae50d19e",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--16cbd521-2d96-4f44-ba57-d7622345bdbe",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Submit KITs, KIQs, and intelligence requirements",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1014",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1014"
},
{
"source_name": "ICD204",
"description": "Office of the Director of National Intelligence. (2015, January 02). Retrieved March 5, 2017."
"description": "Office of the Director of National Intelligence. (2015, January 02). Retrieved March 5, 2017.",
"source_name": "ICD204"
},
{
"source_name": "KIT-Herring",
"description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017."
"description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017.",
"source_name": "KIT-Herring"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries."
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--063d7c60-e327-40ef-b4eb-565bb1f79a14",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--ec61dde1-478e-4d94-ba20-a55a2b3f7f0f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire or compromise 3rd party signing certificates",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1109"
},
{
"source_name": "DiginotarCompromise",
"description": "Dennis Fisher. (2012, October 31). FINAL REPORT ON DIGINOTAR HACK SHOWS TOTAL COMPROMISE OF CA SERVERS. Retrieved March 6, 2017."
"description": "Dennis Fisher. (2012, October 31). FINAL REPORT ON DIGINOTAR HACK SHOWS TOTAL COMPROMISE OF CA SERVERS. Retrieved March 6, 2017.",
"source_name": "DiginotarCompromise"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms"
"x_mitre_difficulty_for_adversary_explanation": "It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--6313c532-0011-468d-8b3e-c6bc92e4185c",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json
+15 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--bb6d391e-75f1-49ad-867a-66a36e7fc34c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Authorized user performs requested cyber action",
"description": "Clicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,22 +13,29 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1163",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1163"
},
{
"source_name": "AnonHBGary",
"description": "PETER BRIGHT. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017."
"description": "PETER BRIGHT. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.",
"source_name": "AnonHBGary"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing."
"x_mitre_difficulty_for_adversary_explanation": "Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--24f9cd8e-6e60-4af3-b9fa-b2e1f25aeba5",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--e099a68d-aba5-410c-bd3a-6ecdc16371a6",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify security defensive capabilities",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS).",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1040",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1040"
},
{
"source_name": "OSFingerprinting2014",
"description": "InfoSec Institute. (2014, June 19). What You Must Know About OS Fingerprinting. Retrieved March 1, 2017."
"description": "InfoSec Institute. (2014, June 19). What You Must Know About OS Fingerprinting. Retrieved March 1, 2017.",
"source_name": "OSFingerprinting2014"
},
{
"source_name": "NMAP WAF NSE",
"description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017."
"description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017.",
"source_name": "NMAP WAF NSE"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS)."
"x_mitre_difficulty_for_adversary_explanation": "The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--cd764479-4674-4d16-9adc-8728970a7048",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--6f889a29-77a1-4a6f-a811-81cc2974f612",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Test callback functionality",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary controls or acquires all pieces of infrastructure and can test outside of defender's visibility.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1133",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1133"
},
{
"source_name": "LeeBeaconing",
"description": "Tony Lee. (2012, December 11). Testing Your Defenses - Beaconing. Retrieved March 9, 2017."
"description": "Tony Lee. (2012, December 11). Testing Your Defenses - Beaconing. Retrieved March 9, 2017.",
"source_name": "LeeBeaconing"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Adversary controls the test and defender likely has no visibility.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Adversary controls or acquires all pieces of infrastructure and can test outside of defender's visibility."
"x_mitre_difficulty_for_adversary_explanation": "Adversary controls or acquires all pieces of infrastructure and can test outside of defender's visibility.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c48a0ed0-afbd-4ffa-b927-d61d15188ea0",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json
+16 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--835fc2f4-923f-48e8-8e75-d8f7ef2e3eb3",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify job postings and needs/gaps",
"description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)\n\nDetectable by Common Defenses: No\n\nDifficulty for the Adversary: Yes",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,20 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1044",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1044"
},
{
"source_name": "JobPostingThreat",
"description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017."
"description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017.",
"source_name": "JobPostingThreat"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_difficulty_for_adversary": "Yes"
"x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Very public by design.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--216d68d6-504d-42f7-a2e8-b0df3e96fd4f",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--ff039e0c-9c91-472e-97f3-5f0b6417e942",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Analyze organizational skillsets and deficiencies",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Job postings and hiring requisitions have to be made public for contractors and many times have the name of the organization being supported. In addition, they outline the skills needed to do a particular job, which can provide insight into the technical structure and organization of a target.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1066",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1066"
},
{
"source_name": "FakeLinkedIn",
"description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017."
"description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017.",
"source_name": "FakeLinkedIn"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Job postings and hiring requisitions have to be made public for contractors and many times have the name of the organization being supported. In addition, they outline the skills needed to do a particular job, which can provide insight into the technical structure and organization of a target."
"x_mitre_difficulty_for_adversary_explanation": "Job postings and hiring requisitions have to be made public for contractors and many times have the name of the organization being supported. In addition, they outline the skills needed to do a particular job, which can provide insight into the technical structure and organization of a target.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--3054e28b-d383-42fe-a98a-471d071626a6",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--90dc6fe3-c987-4e11-967a-ccd995bed9ad",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify people of interest",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Common defenses protecting against poor OPSEC practices are traditionally more policy-based in nature rather than technical. Policy-based mitigations are generally more difficult to enforce and track violations, making it more difficult that this technique can be detected by common defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Specialty cases enable an adversary to use key words in order to search social media and identify personnel with poor OPSEC practices who may have access to specialized information which would make them a target of interest. In addition, the open nature of social media leads to a tendency among individuals to overshare, encouraging poor OPSEC and increasing the ease by which an adversary can identify interesting targets.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1046"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
},
{
"source_name": "Scasny2015",
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017."
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017.",
"source_name": "Scasny2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Common defenses protecting against poor OPSEC practices are traditionally more policy-based in nature rather than technical. Policy-based mitigations are generally more difficult to enforce and track violations, making it more difficult that this technique can be detected by common defenses.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Specialty cases enable an adversary to use key words in order to search social media and identify personnel with poor OPSEC practices who may have access to specialized information which would make them a target of interest. In addition, the open nature of social media leads to a tendency among individuals to overshare, encouraging poor OPSEC and increasing the ease by which an adversary can identify interesting targets."
"x_mitre_difficulty_for_adversary_explanation": "Specialty cases enable an adversary to use key words in order to search social media and identify personnel with poor OPSEC practices who may have access to specialized information which would make them a target of interest. In addition, the open nature of social media leads to a tendency among individuals to overshare, encouraging poor OPSEC and increasing the ease by which an adversary can identify interesting targets.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--cd70009a-9fa1-4a37-83c4-7d4e2b82c34e",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--2d12782f-49a7-4860-9f1c-5293c6ba1124",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Common, high volume protocols and software",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: High level of entropy in communications. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to decipher or to make the communication less conspicuous.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1098",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1098"
},
{
"source_name": "symantecNITRO",
"description": "Eric Chien and Gavin O\u2019Gorman. (n.d.). The Nitro Attacks: Stealing Secrets from the Chemical Industry. Retrieved March 1, 2017."
"description": "Eric Chien and Gavin O\u2019Gorman. (n.d.). The Nitro Attacks: Stealing Secrets from the Chemical Industry. Retrieved March 1, 2017.",
"source_name": "symantecNITRO"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "High level of entropy in communications. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to decipher or to make the communication less conspicuous."
"x_mitre_difficulty_for_adversary_explanation": "Communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to decipher or to make the communication less conspicuous.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--7bf18d56-b0d9-4859-9855-840187a14644",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0.json
+15 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--ccce0af1-06ae-414b-b361-83402fc839ee",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Replace legitimate binary with malware",
"description": "Replacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: On the host end user system, integrity checking (e.g., hash verification, code signing enforcement), application whitelisting, sandboxing, or behavioral-based/heuristic-based systems are most likely to be successful in detecting this technique. On the source webserver, detecting binary changes is easy to detect if performed.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nReplacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: On the host end user system, integrity checking (e.g., hash verification, code signing enforcement), application whitelisting, sandboxing, or behavioral-based/heuristic-based systems are most likely to be successful in detecting this technique. On the source webserver, detecting binary changes is easy to detect if performed.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,22 +13,29 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1155",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1155"
},
{
"source_name": "FSecureICS",
"description": "Daavid and Antti. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved March 9, 2017."
"description": "Daavid and Antti. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved March 9, 2017.",
"source_name": "FSecureICS"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "On the host end user system, integrity checking (e.g., hash verification, code signing enforcement), application whitelisting, sandboxing, or behavioral-based/heuristic-based systems are most likely to be successful in detecting this technique. On the source webserver, detecting binary changes is easy to detect if performed.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable."
"x_mitre_difficulty_for_adversary_explanation": "Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--cf3f3cfa-91ef-41c4-8fd7-bafce89a14b9",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729.json
+15 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--6ac276e2-aa12-49c5-816f-ac1928f91347",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Automated system performs requested action",
"description": "Users may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Environments without extensive endpoint sensing capabilities do not typically collect this level of detailed information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments).",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nUsers may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Environments without extensive endpoint sensing capabilities do not typically collect this level of detailed information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,22 +13,29 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1161",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1161"
},
{
"source_name": "WSUSpect2015",
"description": "Paul Stone & Alex Chapman. (2015, August 5). WSUSpect: Compromising the Windows Enterprise via Windows Update. Retrieved March 1, 2017."
"description": "Paul Stone & Alex Chapman. (2015, August 5). WSUSpect: Compromising the Windows Enterprise via Windows Update. Retrieved March 1, 2017.",
"source_name": "WSUSpect2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Environments without extensive endpoint sensing capabilities do not typically collect this level of detailed information.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments)."
"x_mitre_difficulty_for_adversary_explanation": "Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments).",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--253418e6-4f14-4505-bbeb-0ff208eb0d44",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json
+17 -17
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--75637cca-1e86-46cf-af51-701cc328e284",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify analyst level gaps",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"kill_chain_phases": [
{
@@ -19,30 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1010",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1010"
},
{
"source_name": "BrighthubGapAnalysis",
"description": "Ronda Bowen. (2014, March 26). Performing a Gap Analysis: Where Do You Begin?. Retrieved March 14, 2017."
"description": "Ronda Bowen. (2014, March 26). Performing a Gap Analysis: Where Do You Begin?. Retrieved March 14, 2017.",
"source_name": "BrighthubGapAnalysis"
},
{
"source_name": "ICD115",
"description": "Office of the Director of National Intelligence. (2012, December 21). ICD 115: Intelligence Community Capability Requirements Process. Retrieved March 2, 2017."
"description": "Office of the Director of National Intelligence. (2012, December 21). ICD 115: Intelligence Community Capability Requirements Process. Retrieved March 2, 2017.",
"source_name": "ICD115"
},
{
"source_name": "JP2-01",
"description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017."
"description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017.",
"source_name": "JP2-01"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries."
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--93f9ad40-2808-4009-9b78-95053d73701b",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--7bf6d406-3f79-45dd-8d1d-bd0254599ed7",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Friend/Follow/Connect to targets of interest",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The nature of social media is such that the adversary naturally connects to a target of interest without suspicion, given the purpose of the platform is to promote connections between individuals. Performing activities like typical users, but with specific intent in mind.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1121",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1121"
},
{
"source_name": "NEWSCASTER2014",
"description": "Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017."
"description": "Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.",
"source_name": "NEWSCASTER2014"
},
{
"source_name": "BlackHatRobinSage",
"description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017."
"description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.",
"source_name": "BlackHatRobinSage"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Unless there is some threat intelligence reporting, these users are hard to differentiate.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "The nature of social media is such that the adversary naturally connects to a target of interest without suspicion, given the purpose of the platform is to promote connections between individuals. Performing activities like typical users, but with specific intent in mind."
"x_mitre_difficulty_for_adversary_explanation": "The nature of social media is such that the adversary naturally connects to a target of interest without suspicion, given the purpose of the platform is to promote connections between individuals. Performing activities like typical users, but with specific intent in mind.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--0a704635-d02c-4f68-b975-7522ece465cb",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--4c4e7c2c-5fe0-4d6d-84bb-75a6336dd52a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Port redirector",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1140",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1140"
},
{
"source_name": "SecureWorks HTRAN Analysis",
"description": "JOE STEWART. (2011, August 3). HTran and the Advanced Persistent Threat. Retrieved March 28, 2017."
"description": "JOE STEWART. (2011, August 3). HTran and the Advanced Persistent Threat. Retrieved March 28, 2017.",
"source_name": "SecureWorks HTRAN Analysis"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers)."
"x_mitre_difficulty_for_adversary_explanation": "Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--3f9fbbec-2231-4657-8614-e28113393e89",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--0990f3dd-fec0-409c-bbe0-ce711bc3754c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Derive intelligence requirements",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1007",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1007"
},
{
"source_name": "LowenthalCh4",
"description": "[ Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017."
"description": "[ Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017.",
"source_name": "LowenthalCh4"
},
{
"source_name": "Heffter",
"description": "Clyde R. Heffter. (2011, August 4). A Fresh Look at Collection Requirements. Retrieved March 2, 2017."
"description": "Clyde R. Heffter. (2011, August 4). A Fresh Look at Collection Requirements. Retrieved March 2, 2017.",
"source_name": "Heffter"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries."
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--4da0249d-a644-4576-aad9-d44e6623620d",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--49f42bb8-9c18-4aa7-9dd5-eac05e09c752",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Build and configure delivery systems",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: It is detectable once deployed to the public Internet, used for adversarial purposes, discovered, and reported to defenders.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is easy to create and burn infrastructure. Otherwise, blacklisting would be more successful for defenders.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1124",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1124"
},
{
"source_name": "APT1",
"description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017."
"description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017.",
"source_name": "APT1"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "It is detectable once deployed to the public Internet, used for adversarial purposes, discovered, and reported to defenders.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "It is easy to create and burn infrastructure. Otherwise, blacklisting would be more successful for defenders."
"x_mitre_difficulty_for_adversary_explanation": "It is easy to create and burn infrastructure. Otherwise, blacklisting would be more successful for defenders.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--ab5662e8-e815-4a83-8a8c-567aa87f1b00",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--4d51b2c9-ffd1-40e5-8ae2-1d10f8b4d5a5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Test physical access",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defender often install badging, cameras, security guards or other detection techniques for physical security and monitoring.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires a physical presence in the space being entered and increased risk of being detected/detained (e.g., recorded on video camera)",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1137",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1137"
},
{
"source_name": "OCIAC Pre Incident Indicators",
"description": "Orange County Intelligence Assessment Center. (n.d.). Pre-Incident Indicators. Retrieved March 28, 2017."
"description": "Orange County Intelligence Assessment Center. (n.d.). Pre-Incident Indicators. Retrieved March 28, 2017.",
"source_name": "OCIAC Pre Incident Indicators"
},
{
"source_name": "NewsAgencySpy",
"description": "The Canadian Press. (2012, August 22). Reporter says Chinese news agency asked him to spy. Retrieved March 9, 2017."
"description": "The Canadian Press. (2012, August 22). Reporter says Chinese news agency asked him to spy. Retrieved March 9, 2017.",
"source_name": "NewsAgencySpy"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Defender often install badging, cameras, security guards or other detection techniques for physical security and monitoring.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Requires a physical presence in the space being entered and increased risk of being detected/detained (e.g., recorded on video camera)"
"x_mitre_difficulty_for_adversary_explanation": "Requires a physical presence in the space being entered and increased risk of being detected/detained (e.g., recorded on video camera)",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--17edec05-1378-4d96-9809-3c8b17d0c1ff",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--8d0c0f0f-b9d1-48eb-9022-78d5d74e3f58",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify technology usage patterns",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Physical observations, OSINT for remote access instructions, and other techniques are not detectable.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1041",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1041"
},
{
"source_name": "SANSRemoteAccess",
"description": "Jason Ragland. (2010, January 18). Remotely Accessing Sensitive Resources. Retrieved March 5, 2017."
"description": "Jason Ragland. (2010, January 18). Remotely Accessing Sensitive Resources. Retrieved March 5, 2017.",
"source_name": "SANSRemoteAccess"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Physical observations, OSINT for remote access instructions, and other techniques are not detectable.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques."
"x_mitre_difficulty_for_adversary_explanation": "Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--9b2ea320-a916-4d29-b4e3-15f748690500",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--740a7715-bf83-481f-ad6c-abc2deeb5978",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire and/or use 3rd party software services",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A wide variety of 3rd party software services are available (e.g., [https://twitter.com Twitter], [https://www.dropbox.com Dropbox], [https://www.google.com/docs/about/ GoogleDocs]). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility over account creation for 3rd party software services.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: 3rd party services like these listed are freely available.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1085",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1085"
},
{
"source_name": "LUCKYCAT2012",
"description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017."
"description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017.",
"source_name": "LUCKYCAT2012"
},
{
"source_name": "Nemucod Facebook",
"description": "Bart Blaze. (2016, November 20). Nemucod downloader spreading via Facebook. Retrieved March 28, 2017."
"description": "Bart Blaze. (2016, November 20). Nemucod downloader spreading via Facebook. Retrieved March 28, 2017.",
"source_name": "Nemucod Facebook"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility over account creation for 3rd party software services.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available."
"x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--53fc3f8c-ac4e-4da8-9306-531de7df87f2",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--b4c1bbc7-678e-4c8a-bdb6-2f8a244aa485",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1def484d-2343-470d-8925-88f45b5f9615",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Assess vulnerability of 3rd party vendors",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: 3rd parties would most likely not report network scans to their partners. Target network would not know that their 3rd party partners were being used as a vector.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1075",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1075"
},
{
"source_name": "Zetter2015Threats",
"description": "Kim Zetter. (2015, January 4). The Biggest Security Threats We\u2019ll Face in 2015. Retrieved March 5, 2017."
"description": "Kim Zetter. (2015, January 4). The Biggest Security Threats We\u2019ll Face in 2015. Retrieved March 5, 2017.",
"source_name": "Zetter2015Threats"
},
{
"source_name": "WSJTargetBreach",
"description": "Paul Ziobro. (2014, February 6). Target Breach Began With Contractor's Electronic Billing Link. Retrieved March 6, 2017."
"description": "Paul Ziobro. (2014, February 6). Target Breach Began With Contractor's Electronic Billing Link. Retrieved March 6, 2017.",
"source_name": "WSJTargetBreach"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--1def484d-2343-470d-8925-88f45b5f9615",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "3rd parties would most likely not report network scans to their partners. Target network would not know that their 3rd party partners were being used as a vector.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial."
"x_mitre_difficulty_for_adversary_explanation": "The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--4f47a96b-e07d-459c-928e-b360733971ed",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--fd9ec9ea-015c-408f-a3ad-c522c9b63f4a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify business processes/tempo",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Current or previous employees may divulge information on the Internet. If insiders are used, the defender may have policies or tools in place to detect loss of this data or knowledge.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: In some cases, this requires some insider knowledge or specialized access to learn when critical operations occur in a corporation. For publicly traded US corporations, there is a lot of open source information about their financial reporting obligations (per SEC). Companies announce their annual shareholder meeting and their quarter phone calls with investors. Information such as this can help the adversary to glean certain aspects of the business processes and/or rhythm.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1057",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1057"
},
{
"source_name": "Scasny2015",
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017."
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017.",
"source_name": "Scasny2015"
},
{
"source_name": "Infosec-osint",
"description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017."
"description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017.",
"source_name": "Infosec-osint"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Current or previous employees may divulge information on the Internet. If insiders are used, the defender may have policies or tools in place to detect loss of this data or knowledge.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "In some cases, this requires some insider knowledge or specialized access to learn when critical operations occur in a corporation. For publicly traded US corporations, there is a lot of open source information about their financial reporting obligations (per SEC). Companies announce their annual shareholder meeting and their quarter phone calls with investors. Information such as this can help the adversary to glean certain aspects of the business processes and/or rhythm."
"x_mitre_difficulty_for_adversary_explanation": "In some cases, this requires some insider knowledge or specialized access to learn when critical operations occur in a corporation. For publicly traded US corporations, there is a lot of open source information about their financial reporting obligations (per SEC). Companies announce their annual shareholder meeting and their quarter phone calls with investors. Information such as this can help the adversary to glean certain aspects of the business processes and/or rhythm.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--6806bfc8-5216-47a4-bad3-70dbdfd942a7",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json
+17 -17
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--72a5168b-8c8a-4008-bec6-a77bd49cb80d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Data Hiding",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.",
"kill_chain_phases": [
{
@@ -19,30 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1097",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1097"
},
{
"source_name": "BotnetsDNSC2",
"description": "Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann. (2011). On Botnets that use DNS for Command and Control. Retrieved March 6, 2017."
"description": "Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann. (2011). On Botnets that use DNS for Command and Control. Retrieved March 6, 2017.",
"source_name": "BotnetsDNSC2"
},
{
"source_name": "HAMMERTOSS2015",
"description": "FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017."
"description": "FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017.",
"source_name": "HAMMERTOSS2015"
},
{
"source_name": "DNS-Tunnel",
"description": "Alexey Shulmi and Sergey Yunakovsky. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved May 9, 2017."
"description": "Alexey Shulmi and Sergey Yunakovsky. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved May 9, 2017.",
"source_name": "DNS-Tunnel"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields."
"x_mitre_difficulty_for_adversary_explanation": "This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--20b08232-8c8f-41f1-b028-b3251166316a",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--3fdf5195-b582-435d-a279-74f8d3b403bc",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Determine physical locations",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary searches publicly available sources that list physical locations that cannot be monitored by a defender or are not necessarily monitored (e.g., all IP addresses touching their public web space listing physical locations).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Most corporations now list their locations on public facing websites. Some challenge still exists to find covert or sensitive locations.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1059",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1059"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Adversary searches publicly available sources that list physical locations that cannot be monitored by a defender or are not necessarily monitored (e.g., all IP addresses touching their public web space listing physical locations).",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Most corporations now list their locations on public facing websites. Some challenge still exists to find covert or sensitive locations."
"x_mitre_difficulty_for_adversary_explanation": "Most corporations now list their locations on public facing websites. Some challenge still exists to find covert or sensitive locations.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--d68080fb-3cf2-48eb-90c8-70c5c74bd565",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--35d75097-cc68-4264-9f1b-e3d71b56f40b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Dynamic DNS",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know at first use what is valid or hostile traffic without more context. It is possible, however, for defenders to see if the PTR record for an address is hosted by a known DDNS provider. There is potential to assign some level of risk based on this.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1088"
},
{
"source_name": "DellMirage2012",
"description": "DELL SECUREWORKS COUNTER THREAT UNIT THREAT INTELLIGENCE. (2012, September 18). The Mirage Campaign. Retrieved March 6, 2017."
"description": "DELL SECUREWORKS COUNTER THREAT UNIT THREAT INTELLIGENCE. (2012, September 18). The Mirage Campaign. Retrieved March 6, 2017.",
"source_name": "DellMirage2012"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will not know at first use what is valid or hostile traffic without more context. It is possible, however, for defenders to see if the PTR record for an address is hosted by a known DDNS provider. There is potential to assign some level of risk based on this.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership."
"x_mitre_difficulty_for_adversary_explanation": "Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e29e24fb-28a6-4d92-a946-a4eb603a4667",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--3a555ddb-cbbe-4d0d-a279-e4029e4888a3",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Procure required equipment and software",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Outside of highly specific or rare HW, nearly impossible to detect and track.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS).",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1112",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1112"
},
{
"source_name": "NYTStuxnet",
"description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017."
"description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.",
"source_name": "NYTStuxnet"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Outside of highly specific or rare HW, nearly impossible to detect and track.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS)."
"x_mitre_difficulty_for_adversary_explanation": "Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c29c68e3-cc18-4702-b1ef-97d1b176451e",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--2087d990-43c9-458a-b172-d6cd9e6017d6",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Determine domain and IP address space",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public or easily obtainable information by design.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: AS and IANA data are easily available, existing research tools.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1027",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1027"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Public or easily obtainable information by design.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "AS and IANA data are easily available, existing research tools."
"x_mitre_difficulty_for_adversary_explanation": "AS and IANA data are easily available, existing research tools.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b376e3fc-0836-4acb-8b1a-d6cfa1c84c47",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30.json
+19 -19
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--16f71d4b-5daf-4e78-b7d3-b12dded1434f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Fast Flux DNS",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.",
"kill_chain_phases": [
{
@@ -19,34 +13,40 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1102",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1102"
},
{
"source_name": "HoneynetFastFlux",
"description": "Jamie Riden. (2008, August 16). HOW FAST-FLUX SERVICE NETWORKS WORK. Retrieved March 6, 2017."
"description": "Jamie Riden. (2008, August 16). HOW FAST-FLUX SERVICE NETWORKS WORK. Retrieved March 6, 2017.",
"source_name": "HoneynetFastFlux"
},
{
"source_name": "MisnomerFastFlux",
"description": "Misnomer. (2012, May 4). RESEARCH TO DETECTION \u2013 IDENTIFY FAST FLUX IN YOUR ENVIRONMENT. Retrieved March 6, 2017."
"description": "Misnomer. (2012, May 4). RESEARCH TO DETECTION \u2013 IDENTIFY FAST FLUX IN YOUR ENVIRONMENT. Retrieved March 6, 2017.",
"source_name": "MisnomerFastFlux"
},
{
"source_name": "MehtaFastFluxPt1",
"description": "Lohit Mehta. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017."
"description": "Lohit Mehta. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.",
"source_name": "MehtaFastFluxPt1"
},
{
"source_name": "MehtaFastFluxPt2",
"description": "Lohit Mehta. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017."
"description": "Lohit Mehta. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.",
"source_name": "MehtaFastFluxPt2"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes."
"x_mitre_difficulty_for_adversary_explanation": "Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--bb68c3c2-8936-4588-bbad-62beae1fb9e1",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json
+17 -17
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--9ea3ac4f-1b2f-4d73-b9ce-2b34b73fb10b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Develop social network persona digital footprint",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise.",
"kill_chain_phases": [
{
@@ -19,30 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1119",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1119"
},
{
"source_name": "NEWSCASTER2014",
"description": "Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017."
"description": "Mike Lennon. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.",
"source_name": "NEWSCASTER2014"
},
{
"source_name": "BlackHatRobinSage",
"description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017."
"description": "Thomas Ryan. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.",
"source_name": "BlackHatRobinSage"
},
{
"source_name": "RobinSageInterview",
"description": "Joan Goodchild. (2010, July 8). The Robin Sage experiment: Fake profile fools security pros. Retrieved March 6, 2017."
"description": "Joan Goodchild. (2010, July 8). The Robin Sage experiment: Fake profile fools security pros. Retrieved March 6, 2017.",
"source_name": "RobinSageInterview"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Unless there is some threat intelligence reporting, these users are hard to differentiate.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise."
"x_mitre_difficulty_for_adversary_explanation": "The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--13bfa585-5c9d-4f0c-9174-d40c61eda6c4",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--1b74eebb-b861-44d7-befa-1cef0608f2bd",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Domain Generation Algorithms (DGA)",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1100",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1100"
},
{
"source_name": "DamballaDGA",
"description": "Damballa Day Before Zero Blog. (2012, March 5). Domain Generation Algorithms (DGA) in Stealthy Malware. Retrieved March 6, 2017."
"description": "Damballa Day Before Zero Blog. (2012, March 5). Domain Generation Algorithms (DGA) in Stealthy Malware. Retrieved March 6, 2017.",
"source_name": "DamballaDGA"
},
{
"source_name": "DambballaDGACyberCriminals",
"description": "Damballa. (n.d.). DGAs in the Hands of Cyber-Criminals Examining The State Of The Art In Malware Evasion Techniques. Retrieved March 6, 2017."
"description": "Damballa. (n.d.). DGAs in the Hands of Cyber-Criminals Examining The State Of The Art In Malware Evasion Techniques. Retrieved March 6, 2017.",
"source_name": "DambballaDGACyberCriminals"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch."
"x_mitre_difficulty_for_adversary_explanation": "This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--819036ee-e8ed-40ea-a9f0-af69bc4dbb75",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--ff24d51d-3c81-4099-ad75-e75e1f2a9775",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obtain/re-use payloads",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but detecting an adversary acquiring a payload would require the defender to be monitoring the code repository where the payload is stored. If the adversary re-uses payloads, this allows the defender to create signatures to detect using these known indicators of compromise (e.g., hashes).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1123",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1123"
},
{
"source_name": "SonyDestover",
"description": "Kurt Baumgartner. (2014, December 4). Sony/Destover: mystery North Korean actor\u2019s destructive and past network activity. Retrieved March 9, 2017."
"description": "Kurt Baumgartner. (2014, December 4). Sony/Destover: mystery North Korean actor\u2019s destructive and past network activity. Retrieved March 9, 2017.",
"source_name": "SonyDestover"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but detecting an adversary acquiring a payload would require the defender to be monitoring the code repository where the payload is stored. If the adversary re-uses payloads, this allows the defender to create signatures to detect using these known indicators of compromise (e.g., hashes).",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring."
"x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--d8782c5c-88df-42a9-b2db-bb818a70e62f",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--4277638b-408c-4fd8-8426-7ea6a08c101f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire and/or use 3rd party infrastructure services",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: 3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1084",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1084"
},
{
"source_name": "LUCKYCAT2012",
"description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017."
"description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017.",
"source_name": "LUCKYCAT2012"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc."
"x_mitre_difficulty_for_adversary_explanation": "Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--284a9361-8ff0-4fed-8dd0-ada2d0bca396",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--37f26731-4ab6-4c5a-b8f4-011efe170740",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify web defensive services",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary can attempt to identify web defensive services as [https://www.cloudflare.com/ CloudFlare], [https://github.com/jjxtra/Windows-IP-Ban-Service IPBan], and [https://www.snort.org/ Snort]. This may be done by passively detecting services, like [https://www.cloudflare.com/ CloudFlare] routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Active service detection may trigger an alert. Passive service enumeration is not detected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary can passively detect services (e.g., [https://www.cloudflare.com/ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1033",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1033"
},
{
"source_name": "NMAP WAF NSE",
"description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017."
"description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017.",
"source_name": "NMAP WAF NSE"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Active service detection may trigger an alert. Passive service enumeration is not detected.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Adversary can passively detect services (e.g., [https://www.cloudflare.com/ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)"
"x_mitre_difficulty_for_adversary_explanation": "Adversary can passively detect services (e.g., [https://www.cloudflare.com/ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--07a51085-8462-4455-bc6b-02ed6027ed17",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--a35de759-8f85-4d2d-96f4-8747ba641c4c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire OSINT data sets and information",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Possible to gather digital intelligence about a person is easily aided by social networking sites, free/for fee people search engines, and publicly available information (e.g., county databases on tickets/DUIs).",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1043",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1043"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Possible to gather digital intelligence about a person is easily aided by social networking sites, free/for fee people search engines, and publicly available information (e.g., county databases on tickets/DUIs)."
"x_mitre_difficulty_for_adversary_explanation": "Possible to gather digital intelligence about a person is easily aided by social networking sites, free/for fee people search engines, and publicly available information (e.g., county databases on tickets/DUIs).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b0d55ff9-a452-4d65-93a2-ad5f6fd47fbb",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9.json
+15 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--67bc64d1-0171-40e0-9ddd-61a2a336c6a6",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Leverage compromised 3rd party resources",
"description": "The utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThe utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,22 +13,29 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1152",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1152"
},
{
"source_name": "CitizenLabGreatCannon",
"description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017."
"description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017.",
"source_name": "CitizenLabGreatCannon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight."
"x_mitre_difficulty_for_adversary_explanation": "Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--d5852122-ddb9-4cc4-a533-65d812459940",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af.json
+15 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--e90fd26b-8732-4891-8b8c-62fe4fcf4990",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Untargeted client-side exploitation",
"description": "A technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not fool proof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not fool proof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,22 +13,29 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1147",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1147"
},
{
"source_name": "CitizenLabGreatCannon",
"description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017."
"description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017.",
"source_name": "CitizenLabGreatCannon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not fool proof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery."
"x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--7017078c-814d-4cd1-b6dc-43864a625f6c",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json
+20 -19
View File
@@ -1,48 +1,49 @@
{
"type": "bundle",
"id": "bundle--05cb7577-592a-4f95-9932-8a75eb2046f9",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Disseminate removable media",
"description": "Removable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nRemovable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "launch"
"phase_name": "stage-capabilities"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1156",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1156"
},
{
"source_name": "USBMalwareAttacks",
"description": "Sean Carroll. (2010, November 4). USB Malware Attacks On the Rise. Retrieved March 9, 2017."
"description": "Sean Carroll. (2010, November 4). USB Malware Attacks On the Rise. Retrieved March 9, 2017.",
"source_name": "USBMalwareAttacks"
},
{
"source_name": "FPDefendNewDomain",
"description": "William J. Lynn III. (2010, September). Defending a New Domain. Retrieved March 9, 2017."
"description": "William J. Lynn III. (2010, September). Defending a New Domain. Retrieved March 9, 2017.",
"source_name": "FPDefendNewDomain"
},
{
"source_name": "ParkingLotUSB",
"description": "Emil Protalinski. (2012, July 11). Criminals push malware by 'losing' USB sticks in parking lots. Retrieved March 9, 2017."
"description": "Emil Protalinski. (2012, July 11). Criminals push malware by 'losing' USB sticks in parking lots. Retrieved March 9, 2017.",
"source_name": "ParkingLotUSB"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology."
"x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--62c5977a-3dbf-4449-976c-378aab54697a",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17.json
+15 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--8cbba71a-09c9-42dc-85e0-be1cf2b7e9db",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Spear phishing messages with text only",
"description": "Emails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: End user training and awareness is the primary defense for flagging a plain text email so the end user does not respond or take any requested action (e.g., calling a designated number).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content).",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: End user training and awareness is the primary defense for flagging a plain text email so the end user does not respond or take any requested action (e.g., calling a designated number).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,22 +13,29 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1145",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1145"
},
{
"source_name": "Paypal Phone Scam",
"description": "Sophos Labs. (2006, July 7). PayPal phone phish scam uses voice recording to steal money. Retrieved March 29, 2017."
"description": "Sophos Labs. (2006, July 7). PayPal phone phish scam uses voice recording to steal money. Retrieved March 29, 2017.",
"source_name": "Paypal Phone Scam"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "End user training and awareness is the primary defense for flagging a plain text email so the end user does not respond or take any requested action (e.g., calling a designated number).",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content)."
"x_mitre_difficulty_for_adversary_explanation": "Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content).",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e09fc4a3-4abc-4c1e-a206-1f17139b1540",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--3c432aa0-de3c-4a15-9542-7f641b944575",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Private whois services",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Algorithmically possible to detect COTS service usage or use of non-specific mailing addresses (PO Boxes, drop sites, etc.)\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commercially available or easy to set up and/or register using a disposable email account.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1082",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1082"
},
{
"source_name": "APT1",
"description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017."
"description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017.",
"source_name": "APT1"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Algorithmically possible to detect COTS service usage or use of non-specific mailing addresses (PO Boxes, drop sites, etc.)",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Commercially available or easy to set up and/or register using a disposable email account."
"x_mitre_difficulty_for_adversary_explanation": "Commercially available or easy to set up and/or register using a disposable email account.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--5a66667f-5257-438f-a90a-4487692cd32e",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--c8816de3-87aa-41d2-9b77-ce1b11bf264c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Assess security posture of physical locations",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Physical security is often unaware of implications of physical access to network. However, some organizations have thorough physical security measures that would log and report attempted incursions, perimeter breaches, unusual RF at a site, etc.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Social engineering and OSINT are still generally successful. Physical locations of offices/sites are easily determined. Monitoring for other sites of interest, such as backup storage vendors, is also easy to accomplish.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1079",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1079"
},
{
"source_name": "CyberPhysicalAssessment",
"description": "Doug MacDonald, Samuel L Clements, Scott W Patrick, Casey Perkins, George Muller, Mary J Lancaster, Will Hutton. (2013, February). Cyber/physical security vulnerability assessment integration. Retrieved March 6, 2017."
"description": "Doug MacDonald, Samuel L Clements, Scott W Patrick, Casey Perkins, George Muller, Mary J Lancaster, Will Hutton. (2013, February). Cyber/physical security vulnerability assessment integration. Retrieved March 6, 2017.",
"source_name": "CyberPhysicalAssessment"
},
{
"source_name": "CriticalInfrastructureAssessment",
"description": "J. Depoy, J. Phelan, P. Sholander, B. Smith, G.B. Varnado and G. Wyss. (2015). RISK ASSESSMENT for PHYSICAL AND CYBER ATTACKS on CRITICAL INFRASTRUCTURES. Retrieved March 6, 2017."
"description": "J. Depoy, J. Phelan, P. Sholander, B. Smith, G.B. Varnado and G. Wyss. (2015). RISK ASSESSMENT for PHYSICAL AND CYBER ATTACKS on CRITICAL INFRASTRUCTURES. Retrieved March 6, 2017.",
"source_name": "CriticalInfrastructureAssessment"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Physical security is often unaware of implications of physical access to network. However, some organizations have thorough physical security measures that would log and report attempted incursions, perimeter breaches, unusual RF at a site, etc.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Social engineering and OSINT are still generally successful. Physical locations of offices/sites are easily determined. Monitoring for other sites of interest, such as backup storage vendors, is also easy to accomplish."
"x_mitre_difficulty_for_adversary_explanation": "Social engineering and OSINT are still generally successful. Physical locations of offices/sites are easily determined. Monitoring for other sites of interest, such as backup storage vendors, is also easy to accomplish.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--6aa5dc94-179b-41d9-9e4c-6ca99bd2b283",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--36298111-7b25-41b4-9670-5a91adcf70d7",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Misattributable credentials",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If a previous incident identified the credentials used by an adversary, defenders can potentially use these credentials to track the adversary through reuse of the same credentials.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1099",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1099"
},
{
"source_name": "FakeSSLCerts",
"description": "Paul Mutton. (2014, February 12). Fake SSL certificates deployed across the internet. Retrieved March 1, 2017."
"description": "Paul Mutton. (2014, February 12). Fake SSL certificates deployed across the internet. Retrieved March 1, 2017.",
"source_name": "FakeSSLCerts"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "If a previous incident identified the credentials used by an adversary, defenders can potentially use these credentials to track the adversary through reuse of the same credentials.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity."
"x_mitre_difficulty_for_adversary_explanation": "An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--46a437f3-1a7b-4ed3-83b8-d1b17c2be305",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--16734089-d27a-4554-b3d9-db69995a65cd",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Analyze presence of outsourced capabilities",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Much of this analysis can be done using the target's open source website, which is purposely designed to be informational and may not have extensive visitor tracking capabilities.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyzing business relationships from information gathering may provide insight into outsourced capabilities. In certain industries, outsourced capabilities or close business partnerships may be advertised on corporate websites.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1080",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1080"
},
{
"source_name": "Scasny2015",
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017."
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017.",
"source_name": "Scasny2015"
},
{
"source_name": "OPM Breach",
"description": "Hon. Jason Chaffetz, Hon. Mark Meadows, Hon. Will Hurd. (2016, September 7). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Retrieved March 28, 2017."
"description": "Hon. Jason Chaffetz, Hon. Mark Meadows, Hon. Will Hurd. (2016, September 7). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Retrieved March 28, 2017.",
"source_name": "OPM Breach"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Much of this analysis can be done using the target's open source website, which is purposely designed to be informational and may not have extensive visitor tracking capabilities.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Analyzing business relationships from information gathering may provide insight into outsourced capabilities. In certain industries, outsourced capabilities or close business partnerships may be advertised on corporate websites."
"x_mitre_difficulty_for_adversary_explanation": "Analyzing business relationships from information gathering may provide insight into outsourced capabilities. In certain industries, outsourced capabilities or close business partnerships may be advertised on corporate websites.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--90720861-d1d9-4f5c-9a1d-98889d34dda2",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--026e477a-abf6-4d1c-a8ad-0e6283f16c7a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obfuscate or encrypt code",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Detecting encryption is easy, decrypting/deobfuscating is hard.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1096",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1096"
},
{
"source_name": "CylanceOpCleaver",
"description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017."
"description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017.",
"source_name": "CylanceOpCleaver"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Detecting encryption is easy, decrypting/deobfuscating is hard.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection."
"x_mitre_difficulty_for_adversary_explanation": "Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--d9421b37-1037-46ae-94b5-21ab9536782e",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--bcb47368-0e0c-41a3-b20c-49cfa7a6d107",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Hardware or software supply chain implant",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The number of elements and components in a supply chain of HW or SW is vast and detecting an implant is complex for SW, but more complex for HW.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1142",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1142"
},
{
"source_name": "McDRecall",
"description": "Tash Shifrin. (2006, October 16). Malware forces McDonald\u2019s recall of giveaway MP3s. Retrieved March 9, 2017."
"description": "Tash Shifrin. (2006, October 16). Malware forces McDonald\u2019s recall of giveaway MP3s. Retrieved March 9, 2017.",
"source_name": "McDRecall"
},
{
"source_name": "SeagateMaxtor",
"description": "Brandon Hill. (2007, November 14). Seagate Serves External HDDs with a Side of Virus. Retrieved March 9, 2017."
"description": "Brandon Hill. (2007, November 14). Seagate Serves External HDDs with a Side of Virus. Retrieved March 9, 2017.",
"source_name": "SeagateMaxtor"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "The number of elements and components in a supply chain of HW or SW is vast and detecting an implant is complex for SW, but more complex for HW.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted."
"x_mitre_difficulty_for_adversary_explanation": "Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--476cb214-5c03-4c15-9fee-0f0df13556b1",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4.json
+17 -16
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--05d7e3e3-765e-4bfa-a7a9-b618111ff397",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Credential pharming",
"description": "Credential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Fidelity of networking monitoring must be able to detect when traffic is diverted to non-normal sources at a site level. It is possible to identify some methods of pharming, but detection capabilities are limited and not commonly implemented.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nCredential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Fidelity of networking monitoring must be able to detect when traffic is diverted to non-normal sources at a site level. It is possible to identify some methods of pharming, but detection capabilities are limited and not commonly implemented.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,26 +13,33 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1151",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1151"
},
{
"source_name": "DriveByPharming",
"description": "Ellen Messmer. (2008, January 22). First case of \"drive-by pharming\" identified in the wild. Retrieved March 2, 2017."
"description": "Ellen Messmer. (2008, January 22). First case of \"drive-by pharming\" identified in the wild. Retrieved March 2, 2017.",
"source_name": "DriveByPharming"
},
{
"source_name": "GoogleDrive Phishing",
"description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017."
"description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017.",
"source_name": "GoogleDrive Phishing"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Fidelity of networking monitoring must be able to detect when traffic is diverted to non-normal sources at a site level. It is possible to identify some methods of pharming, but detection capabilities are limited and not commonly implemented.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches."
"x_mitre_difficulty_for_adversary_explanation": "Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e9925347-0bcd-49ac-abfb-4486d7c71c8f",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json
+17 -17
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--9115ce06-d8ce-4885-b774-6ee780504ff5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obtain booter/stressor subscription",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Purchase of booster services is not observable; potentially can trace booster service used to origin of sale, yet not before attack is executed. Furthermore, subscription does not automatically mean foul intention.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily accessible and used to launch DDoS attacks by even novice Internet users, and can be purchased from providers for a nominal fee, some of which even accept credit cards and PayPal payments to do.",
"kill_chain_phases": [
{
@@ -19,30 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1173",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1173"
},
{
"source_name": "Krebs-Anna",
"description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017."
"description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.",
"source_name": "Krebs-Anna"
},
{
"source_name": "Krebs-Booter",
"description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017."
"description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.",
"source_name": "Krebs-Booter"
},
{
"source_name": "Krebs-Bazaar",
"description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017."
"description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.",
"source_name": "Krebs-Bazaar"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Purchase of booster services is not observable; potentially can trace booster service used to origin of sale, yet not before attack is executed. Furthermore, subscription does not automatically mean foul intention.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Easily accessible and used to launch DDoS attacks by even novice Internet users, and can be purchased from providers for a nominal fee, some of which even accept credit cards and PayPal payments to do."
"x_mitre_difficulty_for_adversary_explanation": "Easily accessible and used to launch DDoS attacks by even novice Internet users, and can be purchased from providers for a nominal fee, some of which even accept credit cards and PayPal payments to do.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--75887dcd-326b-43f8-91a2-6d362c14f298",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--701904e7-f166-4d86-bf24-1951f3adc71e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Shadow DNS",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Detection of this technique requires individuals to monitor their domain registrant accounts routinely. In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1117",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1117"
},
{
"source_name": "CiscoAngler",
"description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017."
"description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.",
"source_name": "CiscoAngler"
},
{
"source_name": "ProofpointDomainShadowing",
"description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved March 6, 2017."
"description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved March 6, 2017.",
"source_name": "ProofpointDomainShadowing"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "Detection of this technique requires individuals to monitor their domain registrant accounts routinely. In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains."
"x_mitre_difficulty_for_adversary_explanation": "To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--d2df4e9f-f930-4d1b-8b57-cba563f2fa3b",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2.json
+25 -24
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--5d6865d4-3c88-4402-9f6a-aa0fe719d0dd",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Runtime code download and execution",
"description": "Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,42 +13,49 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1172",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1172"
},
{
"source_name": "Fruit vs Zombies",
"description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017."
"description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017.",
"source_name": "Fruit vs Zombies"
},
{
"source_name": "Android Hax",
"description": "Jon Oberheide. (2010). Android Hax. Retrieved April 12, 2017."
"description": "Jon Oberheide. (2010). Android Hax. Retrieved April 12, 2017.",
"source_name": "Android Hax"
},
{
"source_name": "Execute This!",
"description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved April 12, 2017."
"description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved April 12, 2017.",
"source_name": "Execute This!"
},
{
"source_name": "HT Fake News App",
"description": "Wish Wu. (2016, July 15). Fake News App in Hacking Team Dump Designed to Bypass Google Play. Retrieved April 12, 2017."
"description": "Wish Wu. (2016, July 15). Fake News App in Hacking Team Dump Designed to Bypass Google Play. Retrieved April 12, 2017.",
"source_name": "HT Fake News App"
},
{
"source_name": "Anywhere Computing kill 2FA",
"description": "Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos. (2016). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved April 12, 2017."
"description": "Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos. (2016). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved April 12, 2017.",
"source_name": "Anywhere Computing kill 2FA"
},
{
"source_name": "Android Security Review 2015",
"description": "Google. (2016, April). Android Security 2015 Year In Review. Retrieved April 12, 2017."
"description": "Google. (2016, April). Android Security 2015 Year In Review. Retrieved April 12, 2017.",
"source_name": "Android Security Review 2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android."
"x_mitre_difficulty_for_adversary_explanation": "Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--4ba50d50-22b5-4db4-ae5c-b6ca47efca09",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--4adcba82-09df-43c6-8a04-63721a54a0e8",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Buy domain name",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs).",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1105",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1105"
},
{
"source_name": "PWCSofacy2014",
"description": "Tom Lancaster and Michael Yip. (2014, December 05). APT28: Sofacy? So-funny.. Retrieved March 6, 2017."
"description": "Tom Lancaster and Michael Yip. (2014, December 05). APT28: Sofacy? So-funny.. Retrieved March 6, 2017.",
"source_name": "PWCSofacy2014"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs)."
"x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--13332695-fb18-4ab9-b51e-c9d29df5365b",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json
+17 -17
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--625a77a7-907d-4ac9-8fb4-ffe1e024ecc6",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--46017368-6e09-412b-a29c-385be201cc03",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obtain domain/IP registration information",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Open access to DNS registration/routing information is inherent in Internet architecture.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS information makes registration information functionally freely available.",
"kill_chain_phases": [
{
@@ -19,30 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1028",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1028"
},
{
"source_name": "Google Domains WHOIS",
"description": "Google Domains. (n.d.). About WHOIS. Retrieved April 2, 2017."
"description": "Google Domains. (n.d.). About WHOIS. Retrieved April 2, 2017.",
"source_name": "Google Domains WHOIS"
},
{
"source_name": "FunAndSun2012",
"description": "Jeff Bardin. (2012, October 10). OSINT and Cyber Intelligence - Fun and Sun in Miami. Retrieved March 1, 2017."
"description": "Jeff Bardin. (2012, October 10). OSINT and Cyber Intelligence - Fun and Sun in Miami. Retrieved March 1, 2017.",
"source_name": "FunAndSun2012"
},
{
"source_name": "Scasny2015",
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017."
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017.",
"source_name": "Scasny2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--46017368-6e09-412b-a29c-385be201cc03",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Open access to DNS registration/routing information is inherent in Internet architecture.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS information makes registration information functionally freely available."
"x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS information makes registration information functionally freely available.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--a34caa7a-da56-4c6a-a563-2746d0956a8f",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--46d7d399-356b-414e-8ffd-a43dab97ab60",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Build or acquire exploits",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1126",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1126"
},
{
"source_name": "NYTStuxnet",
"description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017."
"description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.",
"source_name": "NYTStuxnet"
},
{
"source_name": "NationsBuying",
"description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017."
"description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.",
"source_name": "NationsBuying"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring."
"x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--941fc6dc-9a5b-4b3e-b3c5-ab7bb58d3723",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--de61595e-9f5c-4e8e-a1ea-e199239382c8",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire and/or use 3rd party software services",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A wide variety of 3rd party software services are available (e.g., [https://twitter.com Twitter], [https://www.dropbox.com Dropbox], [https://www.google.com/docs/about/ GoogleDocs]). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility over account creation for 3rd party software services.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: 3rd party services like these listed are freely available.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1107",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1107"
},
{
"source_name": "LOWBALL2015",
"description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved March 1, 2017."
"description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved March 1, 2017.",
"source_name": "LOWBALL2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility over account creation for 3rd party software services.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available."
"x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--cee4494d-7f6a-49c0-a131-e441156caeca",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc.json
+17 -16
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--2495b692-cfe2-49aa-95bd-dbe87d320d63",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Spear phishing messages with malicious links",
"description": "Emails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,26 +13,33 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1146",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1146"
},
{
"source_name": "GoogleDrive Phishing",
"description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017."
"description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017.",
"source_name": "GoogleDrive Phishing"
},
{
"source_name": "RSASEThreat",
"description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017."
"description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017.",
"source_name": "RSASEThreat"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site."
"x_mitre_difficulty_for_adversary_explanation": "Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--5699ae11-92cd-4ac3-8029-18dd8947c449",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--ada73735-1f6d-48e7-b024-f3f44b00aad7",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Compromise 3rd party infrastructure to support delivery",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1089",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1089"
},
{
"source_name": "WateringHole2014",
"description": "Pierluigi Paganini. (2014, February 15). FireEye discovered a new watering hole attack based on 0-day exploit. Retrieved March 1, 2017."
"description": "Pierluigi Paganini. (2014, February 15). FireEye discovered a new watering hole attack based on 0-day exploit. Retrieved March 1, 2017.",
"source_name": "WateringHole2014"
},
{
"source_name": "FireEye Operation SnowMan",
"description": "Darien Kindlund, Xiaobo Chen, Mike Scott, Ned Moran, Dan Caselden. (2014, February 13). Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. Retrieved March 28, 2017."
"description": "Darien Kindlund, Xiaobo Chen, Mike Scott, Ned Moran, Dan Caselden. (2014, February 13). Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. Retrieved March 28, 2017.",
"source_name": "FireEye Operation SnowMan"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities)."
"x_mitre_difficulty_for_adversary_explanation": "Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--336ad2d0-f88e-470a-a054-91d2884f8ef2",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4.json
+17 -16
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--5449f9e8-a562-421e-9cf3-1c18fae5e515",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Compromise of externally facing system",
"description": "Externally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,26 +13,33 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1165",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1165"
},
{
"source_name": "CylanceOpCleaver",
"description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017."
"description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017.",
"source_name": "CylanceOpCleaver"
},
{
"source_name": "DailyTechAntiSec",
"description": "Jason Mick. (2011, July 12). AntiSec Exposes U.S. Soldiers' S/Ns, Passwords, Vows Attack on Monsanto. Retrieved March 9, 2017."
"description": "Jason Mick. (2011, July 12). AntiSec Exposes U.S. Soldiers' S/Ns, Passwords, Vows Attack on Monsanto. Retrieved March 9, 2017.",
"source_name": "DailyTechAntiSec"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary."
"x_mitre_difficulty_for_adversary_explanation": "DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e23d06fb-358b-4838-a58d-341f19e59442",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4.json
+17 -16
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--c776244d-c53f-4c85-9c19-4f3d40118d26",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Authentication attempt",
"description": "Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nAttempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,26 +13,33 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1158",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1158"
},
{
"source_name": "Remote Access Healthcare",
"description": "Gary Glover. (2015, June 25). Remote access threats are imminent. Retrieved March 31, 2017."
"description": "Gary Glover. (2015, June 25). Remote access threats are imminent. Retrieved March 31, 2017.",
"source_name": "Remote Access Healthcare"
},
{
"source_name": "RDP Point of Sale",
"description": "Brian Prince. (2014, July 31). Hackers Turn Remote Desktop Tools Into Gateways for Point-of-Sale Malware Attacks. Retrieved March 31, 2017."
"description": "Brian Prince. (2014, July 31). Hackers Turn Remote Desktop Tools Into Gateways for Point-of-Sale Malware Attacks. Retrieved March 31, 2017.",
"source_name": "RDP Point of Sale"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed."
"x_mitre_difficulty_for_adversary_explanation": "Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--00b66c2e-7660-46a3-9461-ea9b69062227",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--73e4482e-d8ef-4619-9009-aaec29d9fa81",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Assign KITs, KIQs, and/or intelligence requirements",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1015",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1015"
},
{
"source_name": "AnalystsAndPolicymaking",
"description": "Jack Davis. (2002, September). Improving CIA Analytic Performance: Analysts and the Policymaking Process. Retrieved March 5, 2017."
"description": "Jack Davis. (2002, September). Improving CIA Analytic Performance: Analysts and the Policymaking Process. Retrieved March 5, 2017.",
"source_name": "AnalystsAndPolicymaking"
},
{
"source_name": "JP2-01",
"description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017."
"description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017.",
"source_name": "JP2-01"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries."
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--4c6067ef-0230-431d-8846-466c9b6f08f0",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json
+18 -16
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--dca4370d-85e0-412c-b127-97d761512d5c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Conduct cost/benefit analysis",
"description": "Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDifficulty for the Adversary: Yes",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,24 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1003",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1003"
},
{
"source_name": "LowenthalCh4",
"description": "[ Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017."
"description": "[ Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017.",
"source_name": "LowenthalCh4"
},
{
"source_name": "KIT-Herring",
"description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017."
"description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017.",
"source_name": "KIT-Herring"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_difficulty_for_adversary": "Yes"
"x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--ee957c12-73c5-4cdf-aa95-c00336e1f10f",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--8aea3110-46ef-4756-9d89-76c76d056e1b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "OS-vendor provided communication channels",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: These services are heavily utilized by mainstream mobile app developers. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: These are free services provided by Google and Apple to app developers, and information on how to use them is readily available.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1167",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1167"
},
{
"source_name": "Securelist Mobile Malware 2013",
"description": "Roman Unuchek, Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved April 12, 2017."
"description": "Roman Unuchek, Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved April 12, 2017.",
"source_name": "Securelist Mobile Malware 2013"
},
{
"source_name": "DroydSeuss",
"description": "Alberto Coletta, Victor van der Veen, and Federico Maggi. (2016). DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper. Retrieved April 12, 2017."
"description": "Alberto Coletta, Victor van der Veen, and Federico Maggi. (2016). DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper. Retrieved April 12, 2017.",
"source_name": "DroydSeuss"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "These services are heavily utilized by mainstream mobile app developers. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "These are free services provided by Google and Apple to app developers, and information on how to use them is readily available."
"x_mitre_difficulty_for_adversary_explanation": "These are free services provided by Google and Apple to app developers, and information on how to use them is readily available.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--7af52ff2-d8ee-41e3-93d3-c082e3235b19",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--15ec3212-4792-4c87-a398-5d4d9ddfde31",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "SSL certificate acquisition for trust breaking",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The certificate authority who is hacked cannot easily see they've been compromised, but [https://www.google.com Google] has caught on to this occurring in previous attacks such as DigiNotar (Citation: DigiNotar2016) and [https://www.verisign.com Verisign].\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: One example of it occurring in the real world is the DigiNotar (Citation: DigiNotar2016) case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1115",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1115"
},
{
"source_name": "SubvertSSL",
"description": "Ryan Singel. (2010, March 24). Law Enforcement Appliance Subverts SSL. Retrieved March 2, 2017."
"description": "Ryan Singel. (2010, March 24). Law Enforcement Appliance Subverts SSL. Retrieved March 2, 2017.",
"source_name": "SubvertSSL"
},
{
"source_name": "DigiNotar2016",
"description": "Wikipedia. (n.d.). DigiNotar. Retrieved July 21, 2016."
"description": "Wikipedia. (n.d.). DigiNotar. Retrieved July 21, 2016.",
"source_name": "DigiNotar2016"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "The certificate authority who is hacked cannot easily see they've been compromised, but [https://www.google.com Google] has caught on to this occurring in previous attacks such as DigiNotarDigiNotar2016 and [https://www.verisign.com Verisign].",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "One example of it occurring in the real world is the DigiNotarDigiNotar2016 case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens."
"x_mitre_difficulty_for_adversary_explanation": "One example of it occurring in the real world is the DigiNotarDigiNotar2016 case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--673064ed-1a63-44dd-84be-8d1d7be55882",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--b6ca4194-b84a-419d-8e6d-893dec9c1e3c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Dynamic DNS",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know at first use what is valid or hostile traffic without more context.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is relatively easy to subscribe to dynamic DNS providers or find ways to get different IP addresses from a cloud provider.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1110",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1110"
},
{
"source_name": "FireEyeSupplyChain",
"description": "FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017."
"description": "FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017.",
"source_name": "FireEyeSupplyChain"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will not know at first use what is valid or hostile traffic without more context.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "It is relatively easy to subscribe to dynamic DNS providers or find ways to get different IP addresses from a cloud provider."
"x_mitre_difficulty_for_adversary_explanation": "It is relatively easy to subscribe to dynamic DNS providers or find ways to get different IP addresses from a cloud provider.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b9b6ee79-eb3b-42c9-b0af-2167102649cc",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--677bb58f-8b0b-419a-b4b4-d5c71bca875b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Test signature detection",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If using a common service like [https://www.virustotal.com VirusTotal], it is possible to detect. If the adversary uses a hostile, less well-known service, the defender would not be aware.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to automate upload/email of a wide range of data packages.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1069",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1069"
},
{
"source_name": "WiredVirusTotal",
"description": "Kim Zetter. (14, September 2). A Google Site Meant to Protect You Is Helping Hackers Attack You. Retrieved March 9, 2017."
"description": "Kim Zetter. (14, September 2). A Google Site Meant to Protect You Is Helping Hackers Attack You. Retrieved March 9, 2017.",
"source_name": "WiredVirusTotal"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "If using a common service like [https://www.virustotal.com VirusTotal], it is possible to detect. If the adversary uses a hostile, less well-known service, the defender would not be aware.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Easy to automate upload/email of a wide range of data packages."
"x_mitre_difficulty_for_adversary_explanation": "Easy to automate upload/email of a wide range of data packages.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--78ac6d81-b5f0-4395-8420-bf6207babb87",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--32822bf5-704f-4ec6-87b9-0185aa0b2c72",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Analyze business processes",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Social engineering and other attempts to learn about business practices and processes would not immediately be associated with an impending cyber event.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: To get any kind of fidelity into business processes would require insider access. Basic processes could be mapped, but understanding where in the organization these processes take place and who to target during any given phase of the process would generally be difficult.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1078",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1078"
},
{
"source_name": "Warwick2015",
"description": "Warwick Ashford. (2015, March). Cyber crime: What every business needs to know. Retrieved March 6, 2017."
"description": "Warwick Ashford. (2015, March). Cyber crime: What every business needs to know. Retrieved March 6, 2017.",
"source_name": "Warwick2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Social engineering and other attempts to learn about business practices and processes would not immediately be associated with an impending cyber event.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "To get any kind of fidelity into business processes would require insider access. Basic processes could be mapped, but understanding where in the organization these processes take place and who to target during any given phase of the process would generally be difficult."
"x_mitre_difficulty_for_adversary_explanation": "To get any kind of fidelity into business processes would require insider access. Basic processes could be mapped, but understanding where in the organization these processes take place and who to target during any given phase of the process would generally be difficult.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c70ef212-b6cf-41ef-9a70-6dfdbd66a3e2",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793.json
+17 -16
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--77ba0b65-2fe5-4b95-84bb-4f5b285403ce",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Unconditional client-side exploitation/Injected Website/Driveby",
"description": "A technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit's landing page. The exploit kit landing page will probe the victim's operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit's landing page. The exploit kit landing page will probe the victim's operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,26 +13,33 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1149",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1149"
},
{
"source_name": "GeorgeDriveBy",
"description": "Torsten George. (2014, October 15). The Internet's Big Threat: Drive-by Attacks. Retrieved March 7, 2017."
"description": "Torsten George. (2014, October 15). The Internet's Big Threat: Drive-by Attacks. Retrieved March 7, 2017.",
"source_name": "GeorgeDriveBy"
},
{
"source_name": "BellDriveBy",
"description": "Lee Bell. (2013, January 8). Drive-by exploits are the top web security threat, says ENISA. Retrieved March 7, 2017."
"description": "Lee Bell. (2013, January 8). Drive-by exploits are the top web security threat, says ENISA. Retrieved March 7, 2017.",
"source_name": "BellDriveBy"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge."
"x_mitre_difficulty_for_adversary_explanation": "Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--af3ad893-2910-4f78-94f6-bf0570b6487b",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--91ff0467-96c9-4c37-b362-48b216930eea",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify supply chains",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an intensive process to obtain the full picture. It is possible to obtain basic information/some aspects via OSINT. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1042",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1042"
},
{
"source_name": "SmithSupplyChain",
"description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017."
"description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017.",
"source_name": "SmithSupplyChain"
},
{
"source_name": "CERT-UKSupplyChain",
"description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017."
"description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017.",
"source_name": "CERT-UKSupplyChain"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process to obtain the full picture. It is possible to obtain basic information/some aspects via OSINT. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA)."
"x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process to obtain the full picture. It is possible to obtain basic information/some aspects via OSINT. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b2ebb321-9600-4971-9a15-075dfd30fd3b",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--d29da4a4-a4aa-44d1-a0c7-e507171d3c44",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Compromise 3rd party or closed-source vulnerability/exploit information",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The compromise of unknown vulnerabilities would provide little attack and warning against a defender, rendering it highly challenging to detect.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Finding, attacking, and compromising a 3rd party or closed vulnerability entity is challenging, because those containing the vulnerabilities should be very aware of attacks on their environments have a heightened awareness.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1131",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1131"
},
{
"source_name": "TempertonDarkHotel",
"description": "JAMES TEMPERTON. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017."
"description": "JAMES TEMPERTON. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.",
"source_name": "TempertonDarkHotel"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "The compromise of unknown vulnerabilities would provide little attack and warning against a defender, rendering it highly challenging to detect.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Finding, attacking, and compromising a 3rd party or closed vulnerability entity is challenging, because those containing the vulnerabilities should be very aware of attacks on their environments have a heightened awareness."
"x_mitre_difficulty_for_adversary_explanation": "Finding, attacking, and compromising a 3rd party or closed vulnerability entity is challenging, because those containing the vulnerabilities should be very aware of attacks on their environments have a heightened awareness.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--4076e227-f52e-4083-94bd-b1dc3ea00ed8",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--8524cf4d-bcff-413f-be49-78e91cc942d0",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify business relationships",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Business relationship information includes the associates of a target and may be discovered via social media sites such as [https://www.linkedin.com LinkedIn] or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender. Much of this information is widely known and difficult to obscure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Made easier by today's current social media.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1049"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
},
{
"source_name": "Scasny2015",
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017."
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017.",
"source_name": "Scasny2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender. Much of this information is widely known and difficult to obscure.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Made easier by today's current social media."
"x_mitre_difficulty_for_adversary_explanation": "Made easier by today's current social media.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--da6135e7-92c8-4dd9-a880-880a14be80ae",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json
+16 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--62b6a044-a2e3-4a70-a004-57a50f274348",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Develop KITs/KIQs",
"description": "Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDifficulty for the Adversary: Yes",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,20 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1004",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1004"
},
{
"source_name": "Herring1999",
"description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved March 2, 2017."
"description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved March 2, 2017.",
"source_name": "Herring1999"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_difficulty_for_adversary": "Yes"
"x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--a0de87af-8950-4f8d-a2cc-8a1b644384ba",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--b71697eb-2640-4b2d-8560-221c8953f048",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Use multiple DNS infrastructures",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires more planning, but feasible.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1104",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1104"
},
{
"source_name": "KrebsStLouisFed",
"description": "Brian Krebs. (2015, May 18). St. Louis Federal Reserve Suffers DNS Breach. Retrieved March 6, 2017."
"description": "Brian Krebs. (2015, May 18). St. Louis Federal Reserve Suffers DNS Breach. Retrieved March 6, 2017.",
"source_name": "KrebsStLouisFed"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Requires more planning, but feasible."
"x_mitre_difficulty_for_adversary_explanation": "Requires more planning, but feasible.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--ea09195c-1c51-4411-9059-43a16d618edd",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--c1465a7c-a6c3-4dda-9d5d-513d75ffbabb",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obtain templates/branding materials",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Templates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary may download templates or branding from publicly available presentations that the defender can't monitor.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1058",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1058"
},
{
"source_name": "Scasny2015",
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017."
"description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017.",
"source_name": "Scasny2015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Adversary may download templates or branding from publicly available presentations that the defender can't monitor.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet."
"x_mitre_difficulty_for_adversary_explanation": "Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--97694c98-1748-44ce-8177-9ef0a31fc7b5",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--4d2e7048-6870-46b1-95a3-19c7d2c51d9d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Mine social media",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary may research available open source information about a target commonly found on social media sites such as [https://www.facebook.com Facebook], [https://www.instagram.com Instagram], or [https://www.pinterest.com Pinterest]. Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design. Application of privacy settings is not a panacea.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1050",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1050"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Very public by design. Application of privacy settings is not a panacea."
"x_mitre_difficulty_for_adversary_explanation": "Very public by design. Application of privacy settings is not a panacea.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--7a70072d-7efa-423f-a25b-e1a1bf59f01e",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--5d2cd745-622d-42a3-a135-c8d9be67831d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Determine firmware version",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No easy way for defenders to detect when an adversary collects this information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Depending upon the target device, there are variable ways for an adversary to determine the firmware version. In some cases, this information can be derived from easily obtained information. For example, in [http://www.cisco.com Cisco] devices, the firmware version is easily determined once the device model and OS version is known since it is included in the release notes.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1035",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1035"
},
{
"source_name": "Abdelnur Advanced Fingerprinting",
"description": "Humberto J. Abdelnur, Radu State, Olivier Festor. (2008). Advanced Network Fingerprinting. Retrieved April 2, 2017."
"description": "Humberto J. Abdelnur, Radu State, Olivier Festor. (2008). Advanced Network Fingerprinting. Retrieved April 2, 2017.",
"source_name": "Abdelnur Advanced Fingerprinting"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "No easy way for defenders to detect when an adversary collects this information.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Depending upon the target device, there are variable ways for an adversary to determine the firmware version. In some cases, this information can be derived from easily obtained information. For example, in [http://www.cisco.com Cisco] devices, the firmware version is easily determined once the device model and OS version is known since it is included in the release notes."
"x_mitre_difficulty_for_adversary_explanation": "Depending upon the target device, there are variable ways for an adversary to determine the firmware version. In some cases, this information can be derived from easily obtained information. For example, in [http://www.cisco.com Cisco] devices, the firmware version is easily determined once the device model and OS version is known since it is included in the release notes.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--96b7a5de-282e-45a2-a101-3498c375329f",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--25d019fc-aaa2-460a-9508-712b6a835381",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Dumpster dive",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Strong physical security and monitoring will detect this behavior if performed on premises.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Not difficult if waste is placed in an unsecured or minimally secured area before collection.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1063",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1063"
},
{
"source_name": "FriedDumpsters",
"description": "Robert B. Fried. (n.d.). Dumpsters: Beware of Treasures. Retrieved March 5, 2017."
"description": "Robert B. Fried. (n.d.). Dumpsters: Beware of Treasures. Retrieved March 5, 2017.",
"source_name": "FriedDumpsters"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Strong physical security and monitoring will detect this behavior if performed on premises.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Not difficult if waste is placed in an unsecured or minimally secured area before collection."
"x_mitre_difficulty_for_adversary_explanation": "Not difficult if waste is placed in an unsecured or minimally secured area before collection.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--96540850-e57e-4a4c-9676-1ce7aa1e738b",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--67994c5e-de92-4e25-a2a8-377c770046f9",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Host-based hiding techniques",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Techniques are difficult to detect and might occur in uncommon use-cases (e.g., patching, anti-malware, anti-exploitation software).\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Some of the host-based hiding techniques require advanced knowledge combined with an understanding and awareness of the target's environment (e.g., exploiting weaknesses in file formats, parsers and detection capabilities).",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1091",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1091"
},
{
"source_name": "VirutAP",
"description": "Microsoft Malware Protection Center. (2008, July 30). Virus: Win32/Virut.AP. Retrieved March 6, 2017."
"description": "Microsoft Malware Protection Center. (2008, July 30). Virus: Win32/Virut.AP. Retrieved March 6, 2017.",
"source_name": "VirutAP"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Techniques are difficult to detect and might occur in uncommon use-cases (e.g., patching, anti-malware, anti-exploitation software).",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Some of the host-based hiding techniques require advanced knowledge combined with an understanding and awareness of the target's environment (e.g., exploiting weaknesses in file formats, parsers and detection capabilities)."
"x_mitre_difficulty_for_adversary_explanation": "Some of the host-based hiding techniques require advanced knowledge combined with an understanding and awareness of the target's environment (e.g., exploiting weaknesses in file formats, parsers and detection capabilities).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--161d74a6-d7d6-46a6-b4c1-66dcf1e08ba3",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148.json
+17 -16
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--0e8d1e68-c1aa-4f1a-b890-31c4020d6777",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Push-notification client-side exploit",
"description": "A technique to push an [https://www.apple.com/ios iOS] or [https://www.android.com Android] MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique to push an [https://www.apple.com/ios iOS] or [https://www.android.com Android] MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,26 +13,33 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1150",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1150"
},
{
"source_name": "BlackHat Stagefright",
"description": "Joshua Drake. (2015, August 5). Stagefright: Scary Code in the Heart of Android. Retrieved March 29, 2017."
"description": "Joshua Drake. (2015, August 5). Stagefright: Scary Code in the Heart of Android. Retrieved March 29, 2017.",
"source_name": "BlackHat Stagefright"
},
{
"source_name": "WikiStagefright",
"description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017."
"description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017.",
"source_name": "WikiStagefright"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful."
"x_mitre_difficulty_for_adversary_explanation": "Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--edcc82ab-b485-47cc-856c-bc6c86a4d617",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25.json
+21 -20
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--f2934f2b-3c4e-45be-ba68-c8d1b16a3cca",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Targeted client-side exploitation",
"description": "A technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user's computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not foolproof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised. The added challenge for a conditional watering hole is the reduced scope and likely reduced ability to detect or be informed. Determining deltas in content (e.g., differences files type/size/number/hashes) downloaded could also aid in detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user's computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not foolproof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised. The added challenge for a conditional watering hole is the reduced scope and likely reduced ability to detect or be informed. Determining deltas in content (e.g., differences files type/size/number/hashes) downloaded could also aid in detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,34 +13,41 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1148",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1148"
},
{
"source_name": "RSASEThreat",
"description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017."
"description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017.",
"source_name": "RSASEThreat"
},
{
"source_name": "WikiStagefright",
"description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017."
"description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017.",
"source_name": "WikiStagefright"
},
{
"source_name": "ForbesSecurityWeek",
"description": "Fahmida Y. Rashid. (2015, February 11). Chinese Attackers Hacked Forbes Website in Watering Hole Attack: Security Firms. Retrieved March 7, 2017."
"description": "Fahmida Y. Rashid. (2015, February 11). Chinese Attackers Hacked Forbes Website in Watering Hole Attack: Security Firms. Retrieved March 7, 2017.",
"source_name": "ForbesSecurityWeek"
},
{
"source_name": "StrongPity-waterhole",
"description": "Kurt Baumgartner. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved May 9, 2017."
"description": "Kurt Baumgartner. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved May 9, 2017.",
"source_name": "StrongPity-waterhole"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not foolproof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised. The added challenge for a conditional watering hole is the reduced scope and likely reduced ability to detect or be informed. Determining deltas in content (e.g., differences files type/size/number/hashes) downloaded could also aid in detection.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest."
"x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--6461eafc-d5b7-4286-9ed5-a8d59b03d1c5",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--7c963185-ae44-4961-84c4-4905a51d4ca3",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obfuscate infrastructure",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will generally not have visibility into their infrastructure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1108"
},
{
"source_name": "FireEyeAPT17",
"description": "FireEye. (2015, May). APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic. Retrieved March 6, 2017."
"description": "FireEye. (2015, May). APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic. Retrieved March 6, 2017.",
"source_name": "FireEyeAPT17"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will generally not have visibility into their infrastructure.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target."
"x_mitre_difficulty_for_adversary_explanation": "Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b2de6e57-f107-486f-acc5-7478fe991e26",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--4dcd878d-c231-462c-80fd-901483f36554",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Install and configure hardware, network, and systems",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Skills are common to majority of computer scientists and \"hackers\". Can be easily obtained through contracting if not organic to adversary's organization.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1113",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1113"
},
{
"source_name": "KasperskyRedOctober",
"description": "Kaspersky Labs. (2013, January 14). Kaspersky Lab Identifies Operation \u201cRed October,\u201d an Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide. Retrieved March 6, 2017."
"description": "Kaspersky Labs. (2013, January 14). Kaspersky Lab Identifies Operation \u201cRed October,\u201d an Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide. Retrieved March 6, 2017.",
"source_name": "KasperskyRedOctober"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Skills are common to majority of computer scientists and \"hackers\". Can be easily obtained through contracting if not organic to adversary's organization."
"x_mitre_difficulty_for_adversary_explanation": "Skills are common to majority of computer scientists and \"hackers\". Can be easily obtained through contracting if not organic to adversary's organization.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b21f6384-97c4-4046-a76e-6a3c5672bc43",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--998199b0-deba-4005-be34-ff5dcfdf4f84",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify business relationships",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Exception to the rule is if the adversary tips off the target that others have been asking about the relationship with them.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires an intensive process. In some industries, business relationships may be public in order to generate business, but this is not the case for all industries and all relationships.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1060",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1060"
},
{
"source_name": "11StepsAttackers",
"description": "Thor Olavsrud. (2014, September 2). 11 Steps Attackers Took to Crack Target. Retrieved March 5, 2017."
"description": "Thor Olavsrud. (2014, September 2). 11 Steps Attackers Took to Crack Target. Retrieved March 5, 2017.",
"source_name": "11StepsAttackers"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Exception to the rule is if the adversary tips off the target that others have been asking about the relationship with them.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process. In some industries, business relationships may be public in order to generate business, but this is not the case for all industries and all relationships."
"x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process. In some industries, business relationships may be public in order to generate business, but this is not the case for all industries and all relationships.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--f6d36707-88f0-4b4d-9146-a8bbfd9c1854",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--b1162775-6d2d-48f2-a868-ed7e0d1829b2",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Conduct social engineering",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting technical information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1026"
},
{
"source_name": "SEAttackVectors",
"description": "Mathew J. Schwartz. (2011, September 14). Social Engineering Leads APT Attack Vectors. Retrieved March 5, 2017."
"description": "Mathew J. Schwartz. (2011, September 14). Social Engineering Leads APT Attack Vectors. Retrieved March 5, 2017.",
"source_name": "SEAttackVectors"
},
{
"source_name": "BeachSE2003",
"description": "Gary Beach. (2003, October 1). Kevin Mitnick on Social Engineering Hackers. Retrieved March 5, 2017."
"description": "Gary Beach. (2003, October 1). Kevin Mitnick on Social Engineering Hackers. Retrieved March 5, 2017.",
"source_name": "BeachSE2003"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "No technical means to detect an adversary collecting technical information about a target. Any detection would be based upon strong OPSEC policy implementation.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement."
"x_mitre_difficulty_for_adversary_explanation": "Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--6611ab3c-147b-4031-b46b-45f4d6938832",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--762771c2-3675-4535-88e9-b1f891758974.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--2038c1f5-9b28-4816-8679-7392b6851e54",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--762771c2-3675-4535-88e9-b1f891758974",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify personnel with an authority/privilege",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The layers of data required and potential gaps of information to map a specific person to an authority or privilege on a network requires access to resources that may not tip off a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1048",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1048"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--762771c2-3675-4535-88e9-b1f891758974",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "The layers of data required and potential gaps of information to map a specific person to an authority or privilege on a network requires access to resources that may not tip off a defender.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases."
"x_mitre_difficulty_for_adversary_explanation": "Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--3821c3b8-d591-4204-b8aa-6d9c3bfa4037",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--76c9e8cb-52e1-4ddc-80d4-5f7231842e06.json
+19 -18
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--d70cd517-1a84-47a5-b3a0-cda4416b0c99",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--76c9e8cb-52e1-4ddc-80d4-5f7231842e06",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "DNS poisoning",
"description": "DNS (cache) poisoning is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Tracking multiple DNS infrastructures will likely require multiple tools/services, more advanced analytics, and mature detection/response capabilities in order to be effective. Few defenders demonstrate the mature processes to immediately detect and mitigate against the use of this technique.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary poisons DNS entry to redirect traffic designated for one site to route to an adversary controlled resource.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nDNS (cache) poisoning is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Tracking multiple DNS infrastructures will likely require multiple tools/services, more advanced analytics, and mature detection/response capabilities in order to be effective. Few defenders demonstrate the mature processes to immediately detect and mitigate against the use of this technique.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary poisons DNS entry to redirect traffic designated for one site to route to an adversary controlled resource.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,30 +13,37 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1159",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1159"
},
{
"source_name": "Google DNS Poisoning",
"description": "Cindy Liu. (2016, March 30). Google DNS Poisoning Follows Brief Unblocking. Retrieved March 31, 2017."
"description": "Cindy Liu. (2016, March 30). Google DNS Poisoning Follows Brief Unblocking. Retrieved March 31, 2017.",
"source_name": "Google DNS Poisoning"
},
{
"source_name": "DNS Poisoning China",
"description": "John Leyden. (2014, January 21). DNS poisoning slams web traffic from millions in China into the wrong hole. Retrieved March 31, 2017."
"description": "John Leyden. (2014, January 21). DNS poisoning slams web traffic from millions in China into the wrong hole. Retrieved March 31, 2017.",
"source_name": "DNS Poisoning China"
},
{
"source_name": "Mexico Modem DNS Poison",
"description": "Paul Oliveria. (2008, January 11). Targeted Attack in Mexico: DNS Poisoning via Modems. Retrieved April 1, 2017."
"description": "Paul Oliveria. (2008, January 11). Targeted Attack in Mexico: DNS Poisoning via Modems. Retrieved April 1, 2017.",
"source_name": "Mexico Modem DNS Poison"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--76c9e8cb-52e1-4ddc-80d4-5f7231842e06",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Partial",
"x_mitre_detectable_by_common_defenses_explanation": "Tracking multiple DNS infrastructures will likely require multiple tools/services, more advanced analytics, and mature detection/response capabilities in order to be effective. Few defenders demonstrate the mature processes to immediately detect and mitigate against the use of this technique.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Adversary poisons DNS entry to redirect traffic designated for one site to route to an adversary controlled resource."
"x_mitre_difficulty_for_adversary_explanation": "Adversary poisons DNS entry to redirect traffic designated for one site to route to an adversary controlled resource.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--dc658528-2a33-482b-af50-da4e69c25dd8",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--0fd3c2e3-592e-4d1e-9b3f-b9e956c77d41",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify job postings and needs/gaps",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1055",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1055"
},
{
"source_name": "JobPostingThreat",
"description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017."
"description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017.",
"source_name": "JobPostingThreat"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Very public by design."
"x_mitre_difficulty_for_adversary_explanation": "Very public by design.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c45b96f3-5909-4fde-8025-23e6cb21b487",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--773950e1-090c-488b-a480-9ff236312e31.json
+19 -19
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--cea23d4c-e63d-4de0-9239-c0698dad18dd",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--773950e1-090c-488b-a480-9ff236312e31",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Analyze data collected",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many of the common tools highlight these weaknesses automatically. Adversary can \"dry run\" against the target using known exploits or burner devices to determine key identifiers of software, hardware, and services.",
"kill_chain_phases": [
{
@@ -19,34 +13,40 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1064",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1064"
},
{
"source_name": "SurveyDetectionStrategies",
"description": "Jamal Raiyn. (2014). A survey of Cyber Attack Detection Strategies. Retrieved March 5, 2017."
"description": "Jamal Raiyn. (2014). A survey of Cyber Attack Detection Strategies. Retrieved March 5, 2017.",
"source_name": "SurveyDetectionStrategies"
},
{
"source_name": "CyberReconPaper",
"description": "H. P. Sanghvi and M. S. Dahiya. (2013, February). Cyber Reconnaissance: An Alarm before Cyber Attack. Retrieved March 5, 2017."
"description": "H. P. Sanghvi and M. S. Dahiya. (2013, February). Cyber Reconnaissance: An Alarm before Cyber Attack. Retrieved March 5, 2017.",
"source_name": "CyberReconPaper"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
},
{
"source_name": "FireEyeAPT28",
"description": "FireEye, Inc. (2014). APT 28: A Window into Russia\u2019s Cyber Espionage Operations?. Retrieved March 1, 2017."
"description": "FireEye, Inc. (2014). APT 28: A Window into Russia\u2019s Cyber Espionage Operations?. Retrieved March 1, 2017.",
"source_name": "FireEyeAPT28"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--773950e1-090c-488b-a480-9ff236312e31",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Many of the common tools highlight these weaknesses automatically. Adversary can \"dry run\" against the target using known exploits or burner devices to determine key identifiers of software, hardware, and services."
"x_mitre_difficulty_for_adversary_explanation": "Many of the common tools highlight these weaknesses automatically. Adversary can \"dry run\" against the target using known exploits or burner devices to determine key identifiers of software, hardware, and services.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--bb107bbc-6b1b-4160-b0f6-8f8e0060bca8",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7823039f-e2d5-4997-853c-ec983631206b.json
+17 -17
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--6d280327-91c7-4ed2-bde2-a385e21d6130",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7823039f-e2d5-4997-853c-ec983631206b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "DNSCalc",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. (Citation: CrowdstrikeNumberedPanda) (Citation: FireEyeDarwinsAPTGroup) (Citation: Rapid7G20Espionage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: There are not currently available tools that provide the ability to conduct this calculation to detect this type of activity.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique.",
"kill_chain_phases": [
{
@@ -19,30 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1101",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1101"
},
{
"source_name": "CrowdstrikeNumberedPanda",
"description": "Adam Meyers. (2013, March 29). Whois Numbered Panda. Retrieved March 6, 2017."
"description": "Adam Meyers. (2013, March 29). Whois Numbered Panda. Retrieved March 6, 2017.",
"source_name": "CrowdstrikeNumberedPanda"
},
{
"source_name": "FireEyeDarwinsAPTGroup",
"description": "Ned Moran, Mike Oppenheim. (2014, September 3). Darwin\u2019s Favorite APT Group. Retrieved March 6, 2017."
"description": "Ned Moran, Mike Oppenheim. (2014, September 3). Darwin\u2019s Favorite APT Group. Retrieved March 6, 2017.",
"source_name": "FireEyeDarwinsAPTGroup"
},
{
"source_name": "Rapid7G20Espionage",
"description": "nex. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017."
"description": "nex. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.",
"source_name": "Rapid7G20Espionage"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7823039f-e2d5-4997-853c-ec983631206b",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "There are not currently available tools that provide the ability to conduct this calculation to detect this type of activity.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique."
"x_mitre_difficulty_for_adversary_explanation": "This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--5106be36-f7dc-4b92-971e-9eb69af63ab2",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b.json
+16 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--7d5d1ead-a11c-4af4-af12-aaec6282ca66",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire OSINT data sets and information",
"description": "Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDifficulty for the Adversary: Yes",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain. Direct access to the selected target is not required for the adversary to conduct this technique. There is a limited ability to detect this by looking at referrer fields on local web site accesses (e.g., a person who has accessed your web servers from [https://www.shodan.io Shodan]).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Possible to gather technical intelligence about Internet accessible systems/devices by obtaining various commercial data sets and supporting business intelligence tools for ease of analysis. Commercial data set examples include advertising content delivery networks, Internet mapping/traffic collections, system fingerprinting data sets, device fingerprinting data sets, etc.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,20 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1024",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1024"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_difficulty_for_adversary": "Yes"
"x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain. Direct access to the selected target is not required for the adversary to conduct this technique. There is a limited ability to detect this by looking at referrer fields on local web site accesses (e.g., a person who has accessed your web servers from [https://www.shodan.io Shodan]).",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Possible to gather technical intelligence about Internet accessible systems/devices by obtaining various commercial data sets and supporting business intelligence tools for ease of analysis. Commercial data set examples include advertising content delivery networks, Internet mapping/traffic collections, system fingerprinting data sets, device fingerprinting data sets, etc.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--f182e4b5-ac7f-4b2b-b2ba-52123396883c",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--5b019ac9-ec52-46d7-969f-4d1f42b8d214",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify supply chains",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an intensive process. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1053",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1053"
},
{
"source_name": "SmithSupplyChain",
"description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017."
"description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017.",
"source_name": "SmithSupplyChain"
},
{
"source_name": "CERT-UKSupplyChain",
"description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017."
"description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017.",
"source_name": "CERT-UKSupplyChain"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA)."
"x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--e1f092e7-e371-4f58-a449-0299b4435a8b",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--44300ee5-3ac0-41ff-828f-04db7a360f92",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Receive operator KITs/KIQs tasking",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1012",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1012"
},
{
"source_name": "FBIIntelligencePrimer",
"description": "FBI. (n.d.). Intelligence Branch: Intelligence Primer. Retrieved March 2, 2017."
"description": "FBI. (n.d.). Intelligence Branch: Intelligence Primer. Retrieved March 2, 2017.",
"source_name": "FBIIntelligencePrimer"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries."
"x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--c3e9b33f-fbe8-4171-9fee-3e97aa0db59c",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--9a7d1131-2bc2-4df3-b67a-f5ee107575e5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Enumerate client configurations",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Typical information collected as part of accessing web sites (e.g., operating system, browser version, basic configurations).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Basic web scripting capability to collect information of interest on users of interest. Requires a compromised web site and the users of interest to navigate there.",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1039",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1039"
},
{
"source_name": "UnseenWorldOfCookies",
"description": "Joanna Geary, Chris Cross. (2012, April 13). Tracking the trackers: help us reveal the unseen world of cookies. Retrieved March 5, 2017."
"description": "Joanna Geary, Chris Cross. (2012, April 13). Tracking the trackers: help us reveal the unseen world of cookies. Retrieved March 5, 2017.",
"source_name": "UnseenWorldOfCookies"
},
{
"source_name": "Panopticlick",
"description": "Electronic Frontier Foundation. (n.d.). Panopticlick: Is your browser safe against tracking?. Retrieved March 5, 2017."
"description": "Electronic Frontier Foundation. (n.d.). Panopticlick: Is your browser safe against tracking?. Retrieved March 5, 2017.",
"source_name": "Panopticlick"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Typical information collected as part of accessing web sites (e.g., operating system, browser version, basic configurations).",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Basic web scripting capability to collect information of interest on users of interest. Requires a compromised web site and the users of interest to navigate there."
"x_mitre_difficulty_for_adversary_explanation": "Basic web scripting capability to collect information of interest on users of interest. Requires a compromised web site and the users of interest to navigate there.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--468305b7-9435-46af-927a-2426cf7c971d",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json
+20 -18
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--0d8b9a37-389b-46ab-9c6d-2cdde2c0533b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify supply chains",
"description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)\n\nDetectable by Common Defenses: No\n\nDifficulty for the Adversary: No",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Difficult, if not impossible to detect, because the adversary may collect this information from external sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Supply chain diversity of sourcing increases adversary difficulty with accurate mapping. Industry practice has moved towards agile sourcing.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,28 +13,36 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1023"
},
{
"source_name": "SmithSupplyChain",
"description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017."
"description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017.",
"source_name": "SmithSupplyChain"
},
{
"source_name": "CERT-UKSupplyChain",
"description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017."
"description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017.",
"source_name": "CERT-UKSupplyChain"
},
{
"source_name": "RSA-supply-chain",
"description": "RSA Research. (2017, February). KINGSLAYER \u2013 A SUPPLY CHAIN ATTACK. Retrieved May 9, 2017."
"description": "RSA Research. (2017, February). KINGSLAYER \u2013 A SUPPLY CHAIN ATTACK. Retrieved May 9, 2017.",
"source_name": "RSA-supply-chain"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_difficulty_for_adversary": "No"
"x_mitre_detectable_by_common_defenses_explanation": "Difficult, if not impossible to detect, because the adversary may collect this information from external sources that cannot be monitored by a defender.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Supply chain diversity of sourcing increases adversary difficulty with accurate mapping. Industry practice has moved towards agile sourcing.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--828024bb-9d41-4d17-8b54-430793c8bb90",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--66514ad4-3413-407c-a532-bdffa4d395b6",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Acquire and/or use 3rd party infrastructure services",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Hard to differentiate from standard business operations.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Wide variety of cloud/VPS/hosting/compute/storage solutions available for adversary to acquire freely or at a low cost.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1106"
},
{
"source_name": "TrendmicroHideoutsLease",
"description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017."
"description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.",
"source_name": "TrendmicroHideoutsLease"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Hard to differentiate from standard business operations.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Wide variety of cloud/VPS/hosting/compute/storage solutions available for adversary to acquire freely or at a low cost."
"x_mitre_difficulty_for_adversary_explanation": "Wide variety of cloud/VPS/hosting/compute/storage solutions available for adversary to acquire freely or at a low cost.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--7b3b8016-5cd0-48ac-ba17-56410a5a4e59",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--f76a6cee-ab90-4e30-bea5-db2e937280cc",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Choose pre-compromised mobile app developer account credentials or signing keys",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The difficulty of obtaining useful developer credentials may vary. Well-organized, professional app developers whose credentials or signing keys would be the most useful to an adversary because of the large install bases of their apps, would likely strongly protect their credentials and signing keys. Less-organized app developers may not protect their credentials and signing keys as strongly, but the credentials and signing keys would also be less useful to an adversary. These less-organized app developers may reuse passwords across sites, fail to turn on multi-factor authentication features when available, or store signing keys in unprotected locations.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1168",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1168"
},
{
"source_name": "Fraudenlent Apps Stolen Dev Credentials",
"description": "Galen Gruman. (2014, December 5). Keep out hijackers: Secure your app store dev account. Retrieved April 12, 2017."
"description": "Galen Gruman. (2014, December 5). Keep out hijackers: Secure your app store dev account. Retrieved April 12, 2017.",
"source_name": "Fraudenlent Apps Stolen Dev Credentials"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "The difficulty of obtaining useful developer credentials may vary. Well-organized, professional app developers whose credentials or signing keys would be the most useful to an adversary because of the large install bases of their apps, would likely strongly protect their credentials and signing keys. Less-organized app developers may not protect their credentials and signing keys as strongly, but the credentials and signing keys would also be less useful to an adversary. These less-organized app developers may reuse passwords across sites, fail to turn on multi-factor authentication features when available, or store signing keys in unprotected locations."
"x_mitre_difficulty_for_adversary_explanation": "The difficulty of obtaining useful developer credentials may vary. Well-organized, professional app developers whose credentials or signing keys would be the most useful to an adversary because of the large install bases of their apps, would likely strongly protect their credentials and signing keys. Less-organized app developers may not protect their credentials and signing keys as strongly, but the credentials and signing keys would also be less useful to an adversary. These less-organized app developers may reuse passwords across sites, fail to turn on multi-factor authentication features when available, or store signing keys in unprotected locations.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--8ae64d96-dab5-4fc8-a4aa-a16597abbb59",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--8fc68385-dff9-49c1-88a0-c694486e9488",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Analyze organizational skillsets and deficiencies",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1077"
},
{
"source_name": "FakeLinkedIn",
"description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017."
"description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017.",
"source_name": "FakeLinkedIn"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts."
"x_mitre_difficulty_for_adversary_explanation": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--9d28583a-7d7d-4fb3-9585-824742a0572c",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--36ecb0c3-a7c2-4472-99d3-e32ca5c49184",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify sensitive personnel information",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This type of information is useful to understand the individual and their ability to be blackmailed. Searching public records is easy and most information can be purchased for a low cost if the adversary really wants it.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1051",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1051"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "This type of information is useful to understand the individual and their ability to be blackmailed. Searching public records is easy and most information can be purchased for a low cost if the adversary really wants it."
"x_mitre_difficulty_for_adversary_explanation": "This type of information is useful to understand the individual and their ability to be blackmailed. Searching public records is easy and most information can be purchased for a low cost if the adversary really wants it.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--b9135e32-a5d5-4367-bf54-66377b3d0149",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--458529cb-0678-4671-8d57-951429b4fc73",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Conduct active scanning",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1031",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1031"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc."
"x_mitre_difficulty_for_adversary_explanation": "Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--05ed2032-70fa-4eb9-87fd-00af0d7483cd",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--61d209e1-7c69-435c-94fb-892fe0497751",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Discover new exploits and monitor exploit-provider forums",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many public sources exist for this information.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1127",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1127"
},
{
"source_name": "EquationQA",
"description": "Kaspersky Lab. (2015, February). EQUATION GROUP: QUESTIONS AND ANSWERS. Retrieved March 9, 2017."
"description": "Kaspersky Lab. (2015, February). EQUATION GROUP: QUESTIONS AND ANSWERS. Retrieved March 9, 2017.",
"source_name": "EquationQA"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Many public sources exist for this information."
"x_mitre_difficulty_for_adversary_explanation": "Many public sources exist for this information.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--bea67076-57bb-4e3d-995e-4a8d50c24293",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f.json
+15 -15
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--b8ff8a4d-51fe-4061-a480-a7f7ae42f10e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Determine 3rd party infrastructure services",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The data is passive in nature or not controlled by the defender, so it is hard to identify when an adversary is getting or analyzing the data.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Based on what the 3rd party infrastructure is, there are many tell tail signs which indicate it is hosted by a 3rd party, such as ASN data, MX or CNAME pointers or IP addresses",
"kill_chain_phases": [
{
@@ -19,26 +13,32 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1037",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1037"
},
{
"source_name": "FFIECAwareness",
"description": "Federal Financial Institutions Examination Council. (2016, October 17). Cybersecurity Awareness. Retrieved March 5, 2017."
"description": "Federal Financial Institutions Examination Council. (2016, October 17). Cybersecurity Awareness. Retrieved March 5, 2017.",
"source_name": "FFIECAwareness"
},
{
"source_name": "Zetter2015Threats",
"description": "Kim Zetter. (2015, January 4). The Biggest Security Threats We\u2019ll Face in 2015. Retrieved March 5, 2017."
"description": "Kim Zetter. (2015, January 4). The Biggest Security Threats We\u2019ll Face in 2015. Retrieved March 5, 2017.",
"source_name": "Zetter2015Threats"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "The data is passive in nature or not controlled by the defender, so it is hard to identify when an adversary is getting or analyzing the data.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Based on what the 3rd party infrastructure is, there are many tell tail signs which indicate it is hosted by a 3rd party, such as ASN data, MX or CNAME pointers or IP addresses"
"x_mitre_difficulty_for_adversary_explanation": "Based on what the 3rd party infrastructure is, there are many tell tail signs which indicate it is hosted by a 3rd party, such as ASN data, MX or CNAME pointers or IP addresses",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--5cb3300b-a517-4ceb-b092-1b512787d723",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--a7300f5a-57aa-453a-b881-d06ac5cf287b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Analyze architecture and configuration posture",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many of the common tools highlight these weakness automatically.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1065",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1065"
},
{
"source_name": "FireEyeAPT28",
"description": "FireEye, Inc. (2014). APT 28: A Window into Russia\u2019s Cyber Espionage Operations?. Retrieved March 1, 2017."
"description": "FireEye, Inc. (2014). APT 28: A Window into Russia\u2019s Cyber Espionage Operations?. Retrieved March 1, 2017.",
"source_name": "FireEyeAPT28"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Many of the common tools highlight these weakness automatically."
"x_mitre_difficulty_for_adversary_explanation": "Many of the common tools highlight these weakness automatically.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--ac1ab1e1-31b8-4756-8b04-283140669705",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76.json
+13 -13
View File
@@ -1,15 +1,9 @@
{
"type": "bundle",
"id": "bundle--d844a4a8-98d5-40e6-bacf-68cda2dfccaf",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Identify groups/roles",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.",
"kill_chain_phases": [
{
@@ -19,22 +13,28 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1047",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1047"
},
{
"source_name": "RSA-APTRecon",
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017."
"description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017.",
"source_name": "RSA-APTRecon"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "No",
"x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.",
"x_mitre_difficulty_for_adversary": "No",
"x_mitre_difficulty_for_adversary_explanation": "Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases."
"x_mitre_difficulty_for_adversary_explanation": "Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--135ea235-24e1-4898-a3de-9975c7847f07",
"spec_version": "2.0"
}
pre-attack/attack-pattern/attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f.json
+15 -14
View File
@@ -1,16 +1,10 @@
{
"type": "bundle",
"id": "bundle--1cf73dca-fe79-4c94-a2a9-4dbbf18e1c8a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit public-facing application",
"description": "The use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: If the application and network are designed well, the defender should be able to utilize logging and application logic to catch and deflect SQL injection attacks.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application.",
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThe use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: If the application and network are designed well, the defender should be able to utilize logging and application logic to catch and deflect SQL injection attacks.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-pre-attack",
@@ -19,22 +13,29 @@
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1154",
"source_name": "mitre-pre-attack",
"external_id": "PRE-T1154"
},
{
"source_name": "GoogleCrawlerSQLInj",
"description": "PETER BRIGHT. (2013, November 6). Google crawler tricked into performing SQL injection attacks using decade-old technique. Retrieved March 9, 2017."
"description": "PETER BRIGHT. (2013, November 6). Google crawler tricked into performing SQL injection attacks using decade-old technique. Retrieved March 9, 2017.",
"source_name": "GoogleCrawlerSQLInj"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f",
"modified": "2018-04-18T17:59:24.739Z",
"x_mitre_detectable_by_common_defenses": "Yes",
"x_mitre_detectable_by_common_defenses_explanation": "If the application and network are designed well, the defender should be able to utilize logging and application logic to catch and deflect SQL injection attacks.",
"x_mitre_difficulty_for_adversary": "Yes",
"x_mitre_difficulty_for_adversary_explanation": "Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application."
"x_mitre_difficulty_for_adversary_explanation": "Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application.",
"x_mitre_deprecated": "true",
"type": "attack-pattern"
}
]
],
"type": "bundle",
"id": "bundle--f78d94c5-8ec6-4303-9f5d-581b89a800a2",
"spec_version": "2.0"
}

Some files were not shown because too many files have changed in this diff Show More