adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ced1c19fa37e2d2aae2f741d38a641befb649151
cti/enterprise-attack/attack-pattern/attack-pattern--1f47e2fd-fa77-4f2f-88ee-e85df308f125.json
T
John Wunder ced1c19fa3 content regeneration for apr-2018 update
2018-04-18 11:24:20 -07:00

72 lines
4.3 KiB
JSON
Raw Blame History

{
"objects": [
{
"name": "Port Monitors",
"description": "A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\\Windows\\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>. The Registry key contains entries for the following:\n*Local Port\n*Standard TCP/IP Port\n*USB Monitor\n*WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.\n\nDetection: * Monitor process API calls to (Citation: AddMonitor).\n* Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal.\n* New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.\n* Monitor Registry writes to <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>.\n* Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)\n\nPlatforms: Windows\n\nData Sources: File monitoring, API monitoring, DLL monitoring, Windows Registry, Process monitoring\n\nEffective Permissions: SYSTEM\n\nPermissions Required: Administrator, SYSTEM\n\nContributors: Stefan Kanthak, Travis Smith, Tripwire",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"url": "https://attack.mitre.org/wiki/Technique/T1013",
"source_name": "mitre-attack",
"external_id": "T1013"
},
{
"description": "Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014.",
"source_name": "AddMonitor",
"url": "http://msdn.microsoft.com/en-us/library/dd183341"
},
{
"description": "Bloxham, B. (n.d.). Getting Windows to Play with Itself &#91;PowerPoint slides&#93;. Retrieved November 12, 2014.",
"source_name": "Bloxham",
"url": "https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf"
},
{
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
"source_name": "TechNet Autoruns",
"url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-05-31T21:30:26.057Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_data_sources": [
"File monitoring",
"API monitoring",
"DLL monitoring",
"Windows Registry",
"Process monitoring"
],
"x_mitre_effective_permissions": [
"SYSTEM"
],
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM"
],
"x_mitre_contributors": [
"Stefan Kanthak",
"Travis Smith, Tripwire"
],
"id": "attack-pattern--1f47e2fd-fa77-4f2f-88ee-e85df308f125",
"modified": "2018-04-18T17:59:24.739Z",
"type": "attack-pattern"
}
],
"type": "bundle",
"id": "bundle--dcfe3171-fc9f-4779-8f95-96fb3e476990",
"spec_version": "2.0"
}
Reference in New Issue View Git Blame Copy Permalink