cti/enterprise-attack/attack-pattern/attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf.json

{
    "type": "bundle",
    "id": "bundle--4bf3a99b-9745-42de-8e92-2262add999dc",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-12-14T16:46:06.044Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "Hidden Window",
            "description": "The configurations for how applications run on macOS and OS X are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window  (Citation: Antiquated Mac Malware).\n\nDetection: Plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the <code>apple.awt.UIElement</code> or any other suspicious plist tag in plist files and flag them.\n\nPlatforms: macOS\n\nData Sources: File monitoring\n\nPermissions Required: User",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "defense-evasion"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1143",
                    "external_id": "T1143"
                },
                {
                    "source_name": "Antiquated Mac Malware",
                    "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
                    "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_data_sources": [
                "File monitoring"
            ],
            "x_mitre_permissions_required": [
                "User"
            ],
            "x_mitre_platforms": [
                "macOS"
            ]
        }
    ]
}