John Wunder
42 lines
2.1 KiB
JSON
42 lines
2.1 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--469d2a2d-8817-4831-bcee-dcf55e7192c1",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"created": "2017-05-31T21:31:09.379Z",
|
|
"modified": "2018-01-17T12:56:55.080Z",
|
|
"name": "Communication Through Removable Media",
|
|
"description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.\n\nDetection: Monitor file access on removable media. Detect processes that execute when removable media is mounted.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Data loss prevention\n\nRequires Network: No",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "command-and-control"
|
|
}
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/wiki/Technique/T1092",
|
|
"external_id": "T1092"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"x_mitre_data_sources": [
|
|
"File monitoring",
|
|
"Data loss prevention"
|
|
],
|
|
"x_mitre_network_requirements": false,
|
|
"x_mitre_platforms": [
|
|
"Linux",
|
|
"macOS",
|
|
"Windows"
|
|
]
|
|
}
|
|
]
|
|
} |